FBI Finally Shuts Down NetWire Malware Posing As A Remote Administration Tool

CryptoMode KryptoCibule Malware Web3 FBI NetWire

The U.S. government recently seized a website selling malware, NetWire, designed to spy on computers and cell phones. 

The site advertised itself as a legitimate remote administration tool. However, it was a Remote Access Trojan (RAT) malware. The FBI investigated the site in 2020, and in a recent press release, the U.S. Attorney’s Office in the Central District of California alleged that the site was used for international money laundering, fraud, and computer crimes.

The FBI used a warrant to seize the website. Moreover, the associated affidavit explained that the FBI determined that NetWire was malware and not a legitimate remote administration tool.

The FBI purchased a NetWire license and downloaded the malware, which an FBI-LA computer scientist analyzed on October 5, 2020, and January 12, 2021. The computer scientist used NetWire’s Builder Tool to construct a customized instance of the malware. That instance was installed on a Windows virtual machine controlled by the agent.

During this process, the FBI concluded that the owners of NetWire never bothered to check whether their customers were using the malware for legitimate purposes. As a result, the FBI computer scientist tested all of NetWire’s functionalities. 

Those include remotely accessing files, viewing and force-closing apps, exfiltrating stored passwords, recording keystrokes, executing commands via prompt or shell, and taking screenshots. Such powerful tools can do a lot of damage, especially in the wrong hands. 

According to the affidavit, the infected computer never displayed a notice or alert that these actions were taking place. That is contrary to legitimate remote access tools, where consent is typically required to perform specific actions on the user’s behalf.

The FBI received a complaint from a US-based victim of NetWire in August 2021. However, the victim’s identity and case details were not provided. Following the seizure of the website, Croatian authorities arrested a local citizen who allegedly ran the website. However, they did not name the suspect at the time.

Cybersecurity journalist Brian Krebs used publicly accessible DNS records, WHOIS website registration data, information provided by a service that indexes data exposed in public database leaks, and even a Google+ profile to link the worldwiredlabs.com website to a person named Mario Zanko. 

However, information about the operation to take down the website used to sell NetWire, including the identity of its owners, is limited at this point. More details may be provided at a later time. 

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.