International Law Enforcement Agencies Disrupt NetWire RAT Operation

The combined efforts of several international law enforcement agencies recently disrupted the notorious NetWire RAT operation, dismantling its infrastructure and seizing its website.

US authorities cooperated with Croatia, Switzerland, the Australian Federal Police and the Europol European Cybercrime Center to conduct this investigation.

On Tuesday, Croatian authorities arrested the alleged administrator of the “worldwiredlabs” website where the NetWire remote access trojan (RAT) was sold for years.

At the same time, a US judge signed a warrant allowing Swiss authorities to confiscate NetWire RAT’s infrastructure server and Los Angeles federal authorities to seize the malicious domain.

“While the website marketed NetWire as a legitimate business tool to maintain computer infrastructure, the affidavit states that NetWire is a malware used for malicious purposes,” the US Attorney’s Office said in a press release. “The software was advertised on hacking forums, and numerous cyber security companies and government agencies have documented instances of the NetWire RAT being used in criminal activity.”

Like other RATs, NetWire granted the perpetrators remote access to the victim’s machine, allowing them to perform nefarious activities on compromised systems. RAT operators could spy on their victims and carry out other tasks, such as deploying backdoors for persistence, exfiltrating data, or controlling the device remotely with elevated privileges.

In the “worldwidelabs” investigation, launched in 2020, undercover FBI agents created an account on the malicious website, paying for a subscription plan. The account granted access to a Builder tool that let agents create a tailored derivative of the NetWire RAT.

“The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals,” says Assistant Director in Charge of the FBI’s Los Angeles Field Office Donald Always.

While authorities have yet to determine how much money the illicit NetWire RAT operators made, they say the perpetrators sold the malicious software for amounts ranging from $10 to $1,200.