NetWire RAT Malware has been seized by international law enforcement agencies, who have achieved a significant triumph in their operation against cybercriminals. The website has been seized, and the infrastructure utilised by criminals linked to the remote access trojan (RAT) has been taken down.
An authentic remote access tool for managing Windows systems from a distance was promoted as NetWire, a remote access Trojan.
Authorities in Croatia detained an individual on Tuesday, who is believed to have managed the worldwiredlabs website responsible for selling the NetWire malware over an extended period. Simultaneously, a judge in the United States granted a seizure warrant, allowing federal officials in Los Angeles to take control of the internet domain.
In a coordinated effort, Swiss law enforcement authorities also seized the server hosting the NetWire RAT infrastructure. This joint action demonstrates international collaboration in combating cybercrime. Users could subscribe to the service for as low as $10 a month, which included support.
Initially detected in 2012, NetWire RAT is usually hidden within malicious files. It is a popular choice among cybercriminals and government-sponsored entities and is commonly distributed via phishing attacks.
NetWire RAT could be deployed by threat actors to capture screenshots, transfer files, issue commands, and download additional programs on compromised Windows computers from a remote location.
In a statement, Donald Alway, who serves as the assistant director in charge of the FBI’s Los Angeles field office, said:
By removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem. The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.
Law Enforcement Seized NetWire Infrastructure
The FBI’s Los Angeles division initiated an inquiry into the malware distributor in 2020. During the investigation, undercover agents established accounts on the website, purchased a subscription and developed a bespoke version of the NetWire RAT utilising the product’s Builder Tool.
On Tuesday, as part of a coordinated international law enforcement operation aimed at disrupting the NetWire service, a seizure warrant approved on March 3rd, 2023 was executed. The U.S. Attorney’s Office for the Central District of California made the announcement.
Police from the FBI, the Central District of California U.S. Attorney’s Office, the Croatian Ministry of the Interior Criminal Police Directorate, Zurich Cantonal Police, Europol, and the Australian Federal Police helped in this investigation.
According to the Croatian police, who are still assessing the overall revenue generated from the sale of the RAT, the malware vendor sold NetWire licences for prices ranging from $10 to $1,200.
The FBI seized the worldwiredlabs.com name used to market the business during this investigation, while Swiss authorities seized the server hosting the website.
Visitors to the website are now greeted by a seizure notice, which reads, “This Website Has Been Seized as part of a coordinated law enforcement action taken against the NetWire Remote Access Trojan”.
In the past few months, various high-profile cybercrime groups have been targeted by international law enforcement operations, and the NetWire takedown is the latest addition to this series of actions.
The FBI, Europol, and German police arrested accused members of the DoppelPaymer ransomware group earlier this month in connection with Europol and the FBI. They also issued warrants for three other people who are thought to be the “masterminds” behind the global operation.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.