NetWire- Infiltrated Remote Access Trojan

Introduction

• Activist Rona Wilson, who has been imprisoned since June 2018 in connection with the Bhima Koregaon violence case, filed a petition in the Bombay High Court seeking a stay on proceedings against him and others who are co-accused.
• His petition referred to a report brought out by Arsenal Consulting, a digital forensics consulting company. The report states that for 22 months, Mr. Wilson’s computer was controlled by an attacker whose goal was to deliver incriminating documents onto his computer, which formed the basis of the case against him.

What was Arsenal Consulting’s analysis based on?

• Arsenal Consulting says its analysis was based largely on a forensic image obtained from the hard drive within Mr. Wilson’s computer.
  • A forensic image is often described as a bit-by-bit copy of any electronic device that can store memory.
  • Such an image will include even deleted data or data that were inaccessible to the user.
  • It is considered an important part of digital evidence-gathering during investigations.

How was the computer infiltrated?

• What is being conveyed by the report is that Mr. Wilson’s computer got infiltrated by a malware that enabled his system to be remote-controlled.
• Over the course of 22 months, it says, the attacker not only created a hidden folder in his system, but also created incriminating documents inside that folder.
• These, it says, were never opened but ended up being used in the case against him and others.
• The report says his computer got compromised on June 13, 2016 after a series of “suspicious mails” from “someone using Varavara Rao’s email account”.
• Mr. Rao is a co-accused in the case. This person is said to have made repeated attempts to get Mr. Wilson to open a document, which he finally did.
• This was a bait, and it triggered the installation of the NetWire remote access trojan on his computer.
• The bait was delivered via an RAR file, which usually contains one or many files in a compressed format.
• The report says while “Mr. Wilson thought he was opening a link to Dropbox” in the email sent to him, he was actually opening a link to “a malicious command and control server”.

What is NetWire?

• NetWire, which first surfaced in 2012, is a well-known malware.
• It is also one of the most active ones around.
• It is a remote access trojan, or RAT, which gives control of the infected system to an attacker.
• Such malware can log keystrokes and compromise passwords.
• Malware, according to cybersecurity experts, essentially do two things.
  • One is data exfiltration, which means stealing data. Most anti-virus software are equipped to prevent this.
  • The other involves infiltrating a system, and this has proven to be far more challenging for anti-virus software.
• NetWire is described as an off-the-shelf malware, while something like Pegasus, which used a bug in WhatsApp to infiltrate users’ phones in 2019, is custom-made and sold to nations.

What is a command and control server?

• The commands emerging from this server is what the infected system will carry out.

How did Arsenal Consulting figure out that the incriminating documents were never opened on Mr. Wilson’s computer?

• Arsenal Consulting says it reviewed the NTFS file system, which can be found on any Windows system.
• This is a system of storing and organising files. It keeps a log of the files — whether they are created, modified, or deleted.
• Object identifiers are assigned to files when they are either created or first opened. Arsenal Consulting says none of the “top ten documents” have any such identifiers.