NetWire RAT

NetWire remote access trojan (RAT) has been widely used by cybercriminals since 2012. In September 2016, Secureworks researchers observed a new version of NetWire that was scraping card data and using a keylogger that can gather data from devices like USB card readers. The trojan is spread through phishing emails with malicious attachments. NetWire can linger for months or years once it’s infected. The researchers state that the file creates a Windows shortcut in the Startup menu to ensure it launches every time the victim logs into the system and it injects code in notepad.exe to evade detection. In early 2016, it was used in attacks against banks and healthcare companies. Victims opened Word documents embedded with malicious macros and the RAT downloaded from Dropbox to infect the user. In 2014, Palo Alto Networks uncovered that Nigerian scammers were using NetWire to remotely control infected systems.


  • July 2014: Nigerian scammers use the NetWire RAT to establish control over infected systems. (TheRegister)
  • March 2016: Criminal groups targeted ATMs, payment processors, and transaction processing systems by sending spear-phishing emails that deliver Carbanak malware or popular remote access trojans like NetWire. (SCMagazine)
  • November 2016: Researchers discover new NetWire variant targeting payment card data in September. (SecureWorks)

Technical Details

  • SecureWorks provides technical details on the NetWire RAT, here.

One example of the NetWire RAT variant. Image Source: FireEye