NetWiredRC trojan used in series of phishing attacks to target hotel industry in North America

• Attackers are sending malicious attachments through emails to the finance department of the target company.
• The malware steals credentials stored in IE, Comodo Dragon, Yandex, Mozilla Firefox, Google Chrome, Chromium, Opera browser and Outlook.

A series of phishing email attacks have been targeting the hotel industry in North America. The attackers are leveraging these attacks to distribute a powerful trojan named NetWiredRC.

How does it propagate?

According to the researchers from 360 Security Center, attackers are sending malicious attachments through emails to the finance department of the target company. The email states that part of the company’s service has outstanding bills which can be viewed in the attached Zip file.

Once the victim clicks on the zip file, a shortcut that carries the malware is extracted on the infected system. To make it less suspicious, the shortcut icon is also disguised as a bill. The shortcut is then used to download the trojan from the address http[:]//13.67.107.73:80/amtq/out-441441271.ps1.

“Out-441441271.ps1 is the releaser Trojan, which will release a .NET Trojan psd.exe after execution. Psd.exe is multi-layered and obfuscated,” wrote the 360 Security Center researchers in a blog post.

What are the capabilities of NetWiredRC?

The capabilities of NetWiredRC include:

• Getting a file directory structure;
• Capturing disk information;
• Taking a screenshot;
• Simulating mouse and keyboard clicks;
• Creating a process;
• Getting system version information;
• Copying, reading, writing and deleting files;
• Network connection status; and
• Stealing login credentials.

The malware steals credentials stored in IE, Comodo Dragon, Yandex, Mozilla Firefox, Google Chrome, Chromium, Opera browser, Outlook, Thunderbird, SeaMonkey, and other mail clients.