A coordinated international law enforcement operation involving the FBI and police agencies worldwide has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire.
The operation has led to the seizure of the sales website www.worldwiredlabs[.]com and a Croatian national who is suspected to be the website’s administrator has been arrested.
NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities.
The malware which has been advertised since at least 2012, is typically distributed via malspam campaigns and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities.
The service was sold via the website, where users could sign up for subscriptions for as little as $10 a month, which included support.
The U.S. Department of Justice (DoJ) said an investigation into the malware operation was launched by the Federal Bureau of Investigation (FBI) in 2020, with the agency creating an account on the site and paying for a subscription to create a custom NetWire RAT instance.
NetWire, over the past year, has been used by multiple threat actors, including TA2541 and OPERA1ER, to break into targets of interest and gather sensitive information. It also emerged as one of the most prevalent RATs during Q4 2022.
Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office stated that by removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem.
The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.