Law enforcement seized the website selling the NetWire RAT and arrested a Croatian man

1 year ago AndyC

An
international
law
enforcement
operation
seized
the
infrastructure
associated
with
the
NetWire
RAT
and
resulted
in
the
arrest
of
its
administrator.

A
coordinated
international
law
enforcement
operation
resulted
in
the
seizure
of
the
infrastructure
associated
with
the

NetWire
RAT,
the
police
also
arrested
its
administrator.

Busted!
A
coordinated

#lawenforcement
action
🇭🇷🇨🇭🇦🇺🇺🇸
has
taken
down
the

#Netwire
Remote
Access
Trojan
infrastructure.

🚔
Main
suspect
arrested.#Netwire
is
a
Licensed
Commodity
RAT
offered
in
underground
forums
to
non-technical
users
to
carry
out
their
own
criminal
activities.

—
EC3
(@EC3Europol)

March
10,
2023

Law
enforcement
seized
the
website
www.worldwiredlabs[.]com
and
its
alleged
administrator,
a
Croatian
national.

The
NetWire
Remote
Access
Trojan
(RAT)
is
available
for
sale
on
cybercrime
forums
since
2012,
it
allows
operators
to
steal
sensitive
data
from
the
infected
systems.

“As
part
of
an
international
law
enforcement
effort,
federal
authorities
in
Los
Angeles
this
week
seized
an
internet
domain
that
was
used
to
sell
computer
malware
used
by
cybercriminals
to
take
control
of
infected
computers
and
steal
a
wide
array
of
information.”
reads
the

press
release
published
DoJ.
“A
seizure
warrant
approved
by
a
United
States
Magistrate
Judge
on
March
3
and
executed
on
Tuesday
led
to
the
seizure
of www.worldwiredlabs.com,
which
offered
the
NetWire
remote
access
trojan
(RAT),
a
sophisticated
program
capable
of
targeting
and
infecting
every
major
computer
operating
system.”

While
the
defendant
has
yet
to
reveal
the
name
of
the
man,
the
popular
investigator
Brian
Krebs identified Mario
Zanko
as
the
owner
of
the
site.

“While
the
defendant
in
this
case
hasn’t
yet
been
named
publicly,
the
NetWire
website
has
been
leaking
information
about
the
likely
true
identity
and
location
of
its
owner
for
the
past
11
years.”

reads
the
post
published
by
Brian
Krebs.
“According
to DomainTools.com,
printschoolmedia[.]org
was
registered
to
a Mario
Zanko in
Zapresic,
Croatia,
and
to
the
email
address [email protected]
DomainTools
further
shows
this
email
address
was
used
to
register
one
other
domain
in
2012: wwlabshosting[.]com,
also
registered
to
Mario
Zanko
from
Croatia.”

NetWire
RAT
is
a
cross-platform
remote
access
trojan
(RAT) that
can
infect
Windows,
macOS,
or
Linux
systems.

The
U.S.
Department
of
Justice
revealed
that
the
FBI
launched
an
investigation
into
the
malware
operation
in
2020.

Undercover
investigators
created
an
account
on
the
website
used
to
sell
the
malware,
paid
for
a
subscription
plan,
and
“constructed
a
customized
instance
of
the
NetWire
RAT
using
the
product’s
Builder
Tool,”
according
to
the
affidavit
in
support
of
the
seizure
warrant.

“By
removing
the
Netwire
RAT,
the
FBI
has
impacted
the
criminal
cyber
ecosystem,”
said
Donald
Alway,
the
Assistant
Director
in
Charge
of
the
FBI’s
Los
Angeles
Field
Office.
“The
global
partnership
that
led
to
the
arrest
in
Croatia
also
removed
a
popular
tool
used
to
hijack
computers
in
order
to
perpetuate
global
fraud,
data
breaches
and
network
intrusions
by
threat
groups
and
cyber
criminals.”

Follow
me
on
Twitter:

@securityaffairs
and

Facebook
and

Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
NetWire
RAT)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts