Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

WiryJMPer Dropper Employs Heavy Obfuscation to Deliver Netwire

A recently discovered malware dropper employs heavy obfuscation and poses as a virtual coin wallet, in an attempt to deliver a Netwire payload, Avast’s security researchers reveal.

A recently discovered malware dropper employs heavy obfuscation and poses as a virtual coin wallet, in an attempt to deliver a Netwire payload, Avast’s security researchers reveal.

Dubbed WiryJMPer, the dropper appears as a regular WinBin2Iso binary (an app to convert CD/DVD/Blu-ray images to ISO), but has a file size three times as big as it should, due to a suspiciously large .rsrc section.

Its JMP instruction, normally meant to handle window messages, jumps into the .rsrc section, which results in an unresponsive WinBin2Iso window to appear briefly before the ABBC Coin wallet window takes over. Because the window is always shown at startup, it is a clear sign of infection.

“While this functionality isn’t novel in any sense and no sandbox evasion was utilized, the obfuscation was uncommon enough to gain our attention. The combination of control flow obfuscation and low level code abstraction made the analysis of the malware’s workflow rather tedious,” Avast’s security researchers explain.

The binary had a low detection rate on VirusTotal when first analyzed and the researchers also discovered that the obfuscated loader also utilizes a (possibly) custom stack-based virtual machine during the RC4 key schedule.

The WinBin2Iso binary has a patched jump that leads to the .rsrc section, where a loader is decrypted, loaded into memory and relocations are made.

Advertisement. Scroll to continue reading.

The loader handles the rest of the infection process: it loads ntdll.dll into the memory, decrypts auxiliary data such as LNK filename or RC4 decryption password, and then decrypts the Netwire malware and the “decoy” binary (ABBC Coin wallet).

The Netwire malware is loaded into memory and the decoy saved onto the disk. The loader also attempts to achieve persistence by copying the original binary to %APPDATA%abbcdriver.exe and creating a LNK file leading to it in the startup folder.

Next, the control flow is redirected into Netwire (also known as Wirenet), a remote access tool. The malware first emerged in 2012, packing password-stealing capabilities. A recently discovered version, however, allows attackers to completely take over the infected systems.

WiryJMPer’s functionality isn’t very innovative, but the malware did manage to pass under the radar for some time, likely due to obfuscation and rather low prevalence.

“Rather slow setup of the decoy showing multiple windows with unrelated titles may be suspicious enough for power-users, on the other hand, providing the ‘decoy’ binary might be comforting enough for ordinary users,” Avast concludes.

Related: Mac Malware Delivered via Firefox Exploits Analyzed

Related: Attackers Use Steganography to Obfuscate PDF Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.