Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



WiryJMPer Dropper Employs Heavy Obfuscation to Deliver Netwire

A recently discovered malware dropper employs heavy obfuscation and poses as a virtual coin wallet, in an attempt to deliver a Netwire payload, Avast’s security researchers reveal.

A recently discovered malware dropper employs heavy obfuscation and poses as a virtual coin wallet, in an attempt to deliver a Netwire payload, Avast’s security researchers reveal.

Dubbed WiryJMPer, the dropper appears as a regular WinBin2Iso binary (an app to convert CD/DVD/Blu-ray images to ISO), but has a file size three times as big as it should, due to a suspiciously large .rsrc section.

Its JMP instruction, normally meant to handle window messages, jumps into the .rsrc section, which results in an unresponsive WinBin2Iso window to appear briefly before the ABBC Coin wallet window takes over. Because the window is always shown at startup, it is a clear sign of infection.

“While this functionality isn’t novel in any sense and no sandbox evasion was utilized, the obfuscation was uncommon enough to gain our attention. The combination of control flow obfuscation and low level code abstraction made the analysis of the malware’s workflow rather tedious,” Avast’s security researchers explain.

The binary had a low detection rate on VirusTotal when first analyzed and the researchers also discovered that the obfuscated loader also utilizes a (possibly) custom stack-based virtual machine during the RC4 key schedule.

The WinBin2Iso binary has a patched jump that leads to the .rsrc section, where a loader is decrypted, loaded into memory and relocations are made.

The loader handles the rest of the infection process: it loads ntdll.dll into the memory, decrypts auxiliary data such as LNK filename or RC4 decryption password, and then decrypts the Netwire malware and the “decoy” binary (ABBC Coin wallet).

Advertisement. Scroll to continue reading.

The Netwire malware is loaded into memory and the decoy saved onto the disk. The loader also attempts to achieve persistence by copying the original binary to %APPDATA%abbcdriver.exe and creating a LNK file leading to it in the startup folder.

Next, the control flow is redirected into Netwire (also known as Wirenet), a remote access tool. The malware first emerged in 2012, packing password-stealing capabilities. A recently discovered version, however, allows attackers to completely take over the infected systems.

WiryJMPer’s functionality isn’t very innovative, but the malware did manage to pass under the radar for some time, likely due to obfuscation and rather low prevalence.

“Rather slow setup of the decoy showing multiple windows with unrelated titles may be suspicious enough for power-users, on the other hand, providing the ‘decoy’ binary might be comforting enough for ordinary users,” Avast concludes.

Related: Mac Malware Delivered via Firefox Exploits Analyzed

Related: Attackers Use Steganography to Obfuscate PDF Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...