Malware

An Analysis of the Cross-Platform Backdoor OSX/NetWeirdRC

Posted on by

A backdoor called OSX/NetWeirdRC has been found that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris. Much like OSX/Crisis, this is a commercial remote access tool (RAT) that was leaked to VirusTotal. It sold under the name “NetWire Remote Control” through http://www.worldwiredlabs[.]com/netwire_/. (Update: In 2023, the FBI seized this domain as part of a multi-country effort to arrest and prosecute the malware’s creator.)

This malware appears to be in the wild, but the risk is considered low at this time. It is not known how the malware would arrive, though presumably it would be part of a targeted attack and it would come with a custom dropper or entice the user to run a file through social engineering.

In this article:

What else is known about OSX/NetWeirdRC malware?

In testing, it was found that this malware is not persistent. Perhaps due to a bug, it does not restart after a reboot, and will lie dormant unless it is manually restarted or removed. It does attempt to add itself to the login items, but this does not succeed in restarting the malware; it will only open the user’s home folder at login instead.

The sample we received copies itself to the user’s home directory, though this functionality is configurable and may vary.

Once it is installed, it calls home to the IP address 212.7.208[.]65 on port 4141 and awaits instructions. VirusBarrier’s firewall alerts at this connection attempt:

The backdoor offers a number of different functions to perform actions and spy on the user of the infected machine:

  • Installing new files
  • Performing commands remotely
  • Grabbing screenshots
  • Gathering system information
  • Gathering information about what programs are running
  • Stealing encrypted Firefox, Thunderbird, Opera, SeaMonkey passwords

A temporary file is created for the malware to know if it has already been installed:

  • /tmp/.lbOOjfsO

It’s interesting to compare and contrast OSX/Crisis and OSX/NetWeirdRC, as they are both commercially products. While OSX/Crisis is an advanced threat which hides itself reasonably well, OSX/NetWeirdRC has a number of glaring issues. Perhaps the pricetag tells us all we need to know: OSX/Crisis sells for €200,000, and OSX/NetWeirdRC starts at $60. The website for the developers of OSX/NetWeirdRC also lists the undetected nature of this tool as a selling point. It would seem that you get what you pay for, even in the malware world.

How can one remove or prevent OSX/NetWeirdRC and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware. Intego software detects components of this threat (including post-2012 variants) under the names OSX/NetWeirdRC.A, OSX/NetWeirdRC.B, OSX/NetWeirdRC.C, OSX/Netweird, OSX/Netwire, and OSX/Wirenet.gen.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the very latest Macs.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

OSX/NetWeirdRC indicators of compromise (IoCs)

Files with the following SHA-256 hashes have been identified as affiliated with OSX/NetWeird-related malware campaigns:

0257340cffb6e7de6196028e2d871433730ae1f6622253fcf819df83864ece93
07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
099b54c9e58542157d2af77467fd6a87fc21d1c237c24a453db0636b89cad1f1
0a66ad9f40dee1d551e9f84c0c583c3dadb18f994700e139dd5c0c7b656a25ad
0b99f06c5dd77698c4f76e2cfe688e5d53d026656f4b7f3ebb19195fadf69d25
137e17ed0c693f5ba23c3f3bf252f7edc29548d97f426625a4e0c5fea0558e45
13e84de1b5f590dbdec61eda5887b04663e5ad7028efc6903959352a61904118
15360f7beb82a7a184a74d2759fbe6afb978357032131a5e33898502ad327a36
1ba1deff19d51be41a54a77097281fcd64059c67d54ec3b958e3f0ec116ec958
1f43aa172d2410617e0953ad90feff0dd5dca95a0a5faeb63fe1978064696505
21deb6a949e5a60618b673553053ee7e4d46da8a883e29bb769c8fe87f561496
224f11055513981bcd359f0708418dfc83145830d9cc4dc503ffed4bee7a5037
233a49aa956e9ec66fe42ef7eead89a982ac007ea7cf611d0f69edf303fed054
233a82465ee5beaba103d3d68113633e60ff5be94fda969d8c7402da46469ca9
257da8c8b296dac6b029004ed06253fe622c5438b4a47b7dfbb87323b64f50a1
267296cabfe19868d4a216ca5d43405004fe7a24d3481f013c7432879d48b65b
26a0ca13e857b8f6260ceea4373cbfde1526f8d7df9cf27926959df1f63dadf5
299d1dac2509abf3e7b42b6baa31156fdad1b1c0fe7e23d38682b4be9faf2b0a
2c5e2bf468fc668e00b83211d296773112372bf40f1cdad9b6eb5f10b621e360
2d1c3294b5736477e67e57660c9add00baa430697b9785de9f3a7b601137af00
2f67d158b0e8332490e9ade7e95a457dc65d27293cf30916698c70bcebb20c75
30bd7ce96a4b309c3f34971520129ce2f467a3d845fd59d865480e045d318f19
33cd09b8de74375d13ca6d25066d011a719a83b324e9349d95ab9943d9465a40
342cb128e98d7573a68441c7dd00a86b81dcbba69a8c682a231494797181821d
3abc49bf515c29b33f1f723ea105a4ab50398675117201e08900ac0e0d3107e9
3addeebf734e6f11e755bf31b559081d9a6020358952136c330c7004e10725b6
3af947c08ecbb727cc7889e903e1de162673c6ee7cc1ffe5f2ae5a51e3feb48b
412d076d641bb1ff37689e377f584dd320b8c90311777286bcb91260551dec9f
41dfab4ade85a7ea2df6f726ea711b60ddac7aa29d77a6bc5654564dec46cef7
4439d1526dcc2959a563d57da1f582a8106a72472d0842b1de694e823746acc6
44d292854bcccd92089268828121ba9de0ed36d03ab2341f69c161eaee71afb6
4578afe395a2a6cbe6d3dfce76672130d040fbe56032adfe281a0ecb90b245c2
46106474c1e05747a77866e6e6166b31d37e1524e3f3e7d2abca5f3c07454505
4623fd8b5482ec7cc0bbeb797300eb5379a113e3a1e3e4d6ab9d0dbf12ad4b51
485957b4bc9bd7a7bc5c59b3ee6a4fbad48add2707d828ed67953c8a2e6c372a
4a39f30c9e1c7d8db87ad521ca46cd04a4010e23b6fed81fd80df36d3d4be496
4ca7a1cb6df3e3d09776ccff13a1a5224d974608d1dbb2284713ab7a5073ae92
4ce99350cacd35a09f8da9bb736780f5fbca3d988d61661a1894772df8b64c44
4cecdade7c1b3d34c9c85f3943c3d85fc097ea5260aa8179e887b98ff6236471
4dde93426d6f71b61c42b627a8756b9cac7409da1a5cce62bb6179991973c76c
584727c4af692f1ed52e4fe497a24a7d56aa7a55d25df7dccf305494ecbed0b7
597e18be133ccdbbff1e99ed0f4b0885b8b84699f30374cc0e44807a55c02deb
5ad1a0cd5ce13fe326d5292f643c5e3107c30331041cec8b60cbddb9b1e00739
5d1d6aaa2f62e7f4cdba41ae3b2452fbc5febb3e046a3f583df41b2ae403ca83
5eeea942cae0da69f175d55c1acdc398c657d822d34cf9d30d1476721c7e1f85
6552663756c6a185939e8fff82dab6422213df39bd86a884caf4aef473ae613a
6d1ca151169f24643ab9e298aaf01219eae7f8bae208273a9591f454b93c82ed
6fb51a05b45bd4c9228d5add8a293d4b0d4d8b01e72912f3485b7d8197f62853
74e120057e9ef88f0a5e5fd92b2a248c141fe1ddc616944eff8ff3d4aeb9ff74
758ccff1e232ee02c4ef7013c52e779cd4fc9e18567deb453b7ab2680ceac112
761962723b4fe4d277f89f8b0b60d62229294e3f62abb6ea0581e4e3b8606623
782a7c805e398dbd915555b57966585ccc3ea8c426604dec4568dc8b642f893b
79bb7b4c97a22e994d5a2dc171bb6a625d2d73c9459093055c1215b8d55383fc
7a88a670d608c41abdabb7d57e9580fc63179bd461e31092f0f37d3d718e6925
7b501617d85a6da8b6a6b647617a5dbcb5896b5d91923984c8331229c88b087f
7dac37de8f37f80730bec42646be8e1f6b1353e9d74aeda10cc40c8b22787791
834572938b3d24bf0fe48e9b1c5c5f729eccda23c11e793e6a0f387dbb72b538
892f6f6b554e5aecdb36758be5eb04b606ad4b1ddd34f93195034f43ba27121b
8fab7960a3e73f3b5ca84e60a72e04eb37916444487a77300d629c9e092aafc6
91dcf6049248440b58e3ace7cb518b201dfb5e737a7766cdeb26ae4fd304fcd0
92c2732b906eb08c0b1214dd761f84ad2588b009559c4884a58279a720dc4a01
9859b887d8c89af8c2c962dec318766ed0bffbc0441ca6dddb7fdeddb236d707
9e129a48b2b09760fea0ccc0960a978e497d2a93a54f32435024eaeea4f45a9b
a033fb94947caf6c22523af2d660b89d0c0fe6ee0ee200853312f192d29ed964
a2e449364b1bc148a19824984010485e2770a2f2e3098a7b59b557a59f735691
a55630de60eddd91ad0b511c2224364dc63cecb097c13aaeb48cc64b8d6102dd
a621afc6a41cdca7a969c21377ad1f05d70fa1c31488c8c6629dc9a151910ae8
ab5ea22c84491097f234a97e9ad3872129a32bcdf95df559f28e4da0f9701e15
acd980754ac3807ba67cbbe7d787fd5804673c8cecc87a114735c965d40f1dd1
af77d91269c731b4624594826b18f8c9b3df08ac80aeae5968db55b33bd3d9f4
c4a8d9e29ebe45081592a75497ea584d0d9619e6c8cbefdf5297c06c1b8d0324
c4cca053f03d6e74568298a9593cc01e0897d4a05e9c32c051b0224c9336f715
c56aa3344fd8b35cf23ad2c806de2c947674517c46ef70b3f63ae0eeefa9f71d
c699a63cb82436867ac04f9ac8942df24f37ea6d08501dd0bc2eb4066edb9504
c96a32eb691bc06578fb6595d4cef8490b1874772acb81f73cf5c416dec6d998
cd71e46adc8740e82cbdb398aa168c746bc29842352834763ae8886910ce10f3
ae953ac573d978656232e8fbd117ebdb10cf12e0fee37413cac3dd138b33632b
cda8619bf64d10667476d087286db3d73039d82dd9edb34feffe571a0642c4ff
cede91407b1840db16f892bf61ceffa6dcb64eb180a15de16cc7fd8c7ae53fa9
d0a2ba9568d0f99cf5ee9a40819f29a5a5315d924d4000490d436bfc08b0d617
d5479a47f859b22f7dfd3a078e8984663711cdcdc9adf861fb83d261d6d31a7a
e1b07f323599f1887982c8efd8c253d9a5e3c8524239bb17e5175b47dde8e3a8
e450d451a7f7dd9dacd06a8bb6339aa9473ec1360bc4324b85b7a6758394eae2
e46a31ab634c9a90b378232e8134fb24b395ba275cb9fa53dd22246da8c930b3
edaed9d5fc6d375bc7a19e0707c5b4fdbb98a4431e5dd18f36728d8069197ed1
f54069d1502f2323f8d91110e0e6d2e0da3eba6a73ebcc922770d80302dc19a4
f5aec1d705824e2f41b1f1e07372c4a93f4243656ce60510ec7798b20f10e5be
f626d9437ce1a463775fbafedb8f21acb3a24d7d3b1b026e8b1093d3a32f02e2
f93769a92593cf525ea0ac50fdb8295936ede8e081dd835edba9258651202a32
fb26a41cdbf93f73bdd46593fb7b88f77ff1a7edf55c174500bcf58adb2d1d27
fd2a2f9e9c1d9515bf6a94123df359d50f1d42def1ec2153a6fe8948268c265a
fee253d110ea71891ea8d07934bcf2fd61cd72c1b32d766beabba24901cd223a
ff5d5b0bbde9735eeb29f2c7d5dd2bda4fab4cdae796e2541bccf352dfb7a081

Each of these samples is available on VirusTotal (see lists of samples for variant 1, variant 2, variant 3, and variant 4). Note that this blog post has been updated to add some newer samples, including from 2019 or later.

Is OSX/NetWeirdRC known by any other names?

Other vendors’ or journalists’ names for this malware campaign may include variations of the following:

A Variant Of OSX/Netweird.A, A Variant Of OSX/Netweird.F, Backdoor:MacOS_X/NetWiredRC.A, Backdoor:MacOS/NetWired, Backdoor:MacOS/Wirenet.4fb9d760, Backdoor:OSX/NetWeirdRC.A, Backdoor.MacOS.NETWIRED.A, Backdoor.MacOSX.NetWeirdRC.A, Backdoor.NetWire/OSX!1.D99F (CLASSIC), Backdoor.OSX.NetWeirdRC.A, Backdoor.OSX.NetWiredRC.a (v), Backdoor.OSX.Wirenet.10000077, Backdoor.OSX.Wirenet.a, Backdoor.Trojan, Backdoor.Win32.Generic.FGT, Backdoor.Wirenet.OSX.12, Backdoor.Wirenet.OSX.13, Backdoor.Wirenet.OSX.17, Backdoor.Wirenet.OSX.33, Backdoor.Wirenet.OSX.38, Backdoor.Wirenet/OSX.a (CLASSIC), DFI – Suspicious Mach-O, HEUR:Backdoor.OSX.Wirenet.g, HEUR:Backdoor.OSX.Wirenet.h, Mac.BackDoor.Wirenet.1, Mac.BackDoor.Wirenet.5, MAC.OSX.Backdoor.Wirenet.A (B), MAC.OSX.Backdoor.Wirenet.E (B), MAC.OSX.Backdoor.Wirenet.I (B), MAC.OSX.Backdoor.Wirenet.J (B), MAC.OSX.NetWeird.A (B), Mac/Backdoor.072, MacOS:Netweird-B [Trj], MacOS/Wirenet.A, MacOS/Wirenet.B, MacOS/Wirenet.C, Malware.Generic-Script.Save.af8a464f, Malware.Generic-Script.Save.b7811f5b, Malware.OSX/Netweird.tbkts, Malware@#15i81g3rc3sef, Malware@#1afq2rvd10wil, Malware@#1f0m269krpw2l, Malware@#1h8tju5hbd21f, Malware@#1hd42vlms8n0z, Malware@#1uzmyxicqk3uv, Malware@#20rfq4tbgqoib, Malware@#21rpfafrtdx2b, Malware@#28x09as6fhwfe, Malware@#2caoj5w0utqjh, Malware@#2gpv2ykp4521v, Malware@#2k8e1hubq5acd, Malware@#2o0859e15qp3n, Malware@#2rjlzn4iz9h25, Malware@#2sgtqzk1lqssy, Malware@#31kj44wfcawer, Malware@#3gv612cqtop6v, Malware@#3s6xew9utef8d, Malware@#3w5a7hy6bca77, Malware@#hqkpyo3ijq8t, Malware@#lh57jy6pg49f, Multi:Wirenet-B [Trj], Net.Backdoor.Wirenet.Mzfl, Net.Backdoor.Wirenet.Syrk, Net.Backdoor.Wirenet.Wnvs, Net.Backdoor.Wirenet.Wrgi, Net.Backdoor.Wirenet.Wstu, Net.Trojan.Netweird.Rzfl, OSX_NETWEIRD.TP, OSX_NETWIRED.A, OSX_NETWRD.A, OSX_WIRENET.AA, OSX_WIRENET.AC, OSX_WIRENET.AE, OSX_WIRENET.AF, OSX_WIRENET.AH, OSX_WIRENET.SM, OSX.Malcol, Osx.Malware.Agent-6997565-0, OSX.Netweird.B, OSX.NetWeird.i, OSX.NetWeird.ii, OSX.Netwire.A, OSX.Trojan.Gen, Osx.Trojan.Netweird-1, Osx.Trojan.Netweird-2, OSX/BHT.O, OSX/Generic.af, OSX/Macho.b, OSX/Netweird.A!tr, OSX/Netweird.qkmhq, OSX/Netweird.tbkts, OSX/NetWierd, OSX/NetWired.a, OSX/NetWrdRC-A, OSX/NetWrdRC-H, OSX/OSX_Wirenet.F!tr.bdr, OSX/Wirenet.63768, OSX/Wirenet.a, OSX/Wirenet.A!tr.bdr, OSX/Wirenet.A.1, OSX/Wirenet.C, OSX/Wirenet.M, OSX32-Trojan/Wirenet.B, OSX32-Trojan/Wirenet.C, OSX32-Trojan/Wirenet.D, RDN/Generic.gci, RDN/Generic.gfj, RDN/Generic.osx, Static AI – Malicious Archive, Static AI – Malicious Mach-O, Static AI – Suspicious Mach-O, Trojan ( 3ac000771 ), Trojan ( 3ac070611 ), Trojan:MacOS/Occamy.AA, Trojan:MacOS/Vigorf.A, Trojan:MacOS/Ymacco.AACD, Trojan:Script/Wacatac.C!ml, Trojan.Agent.gdz (CLASSIC), Trojan.Agent.geb (CLASSIC), Trojan.Mac.Netweird.effjbe, Trojan.Mac.Netweird.eteaqv, Trojan.Mac.Netweird.ffcvyf, Trojan.Mac.Netweird.focmdw, Trojan.Mac.Netweird.frewfz, Trojan.Mac.Netweird.fsnnuy, Trojan.MAC.Netwire.A (B), Trojan.Mac.Wirenet.bbgbyo, Trojan.Mac.Wirenet.bckzzk, Trojan.Mac.Wirenet.bdfnbo, Trojan.Mac.Wirenet.bdvzgt, Trojan.Mac.Wirenet.beacxp, Trojan.Mac.Wirenet.bgwblv, Trojan.Mac.Wirenet.bmveuq, Trojan.Mac.Wirenet.bmvxfe, Trojan.Mac.Wirenet.bmxkqo, Trojan.Mac.Wirenet.bnebyq, Trojan.Mac.Wirenet.bsapjo, Trojan.Mac.Wirenet.ddgtuu, Trojan.Mac.Wirenet.dtkfyv, Trojan.Mac.Wirenet.wpzjm, Trojan.Mac.Wirenet.wqrhp, Trojan.Mac.Wirenet.wqris, Trojan.Mac.Wirenet.yolio, Trojan.Mac.Wirenet.yziuu, Trojan.Malware.74403110.susgen, Trojan.Netweird..1, Trojan.Netweird..10, Trojan.Netweird..11, Trojan.Netweird..12, Trojan.Netweird..16, Trojan.Netweird..2, Trojan.Netweird..28, Trojan.Netweird..29, Trojan.Netweird..3, Trojan.Netweird..30, Trojan.Netweird..4, Trojan.Netweird.OSX.34, Trojan.OSX.Netweird, Trojan.OSX.Netwire, Trojan.OSX.Wirenet.4!c, Trojan.OSX.Wirenet.m!c, Trojan.Win32.OSX.Agent.I, Trojan[Backdoor]/OSX.Wirenet, Trojan/Generic.ASSuf.27716, Virus.MAC.OSX.Wirenet.A, W32/OSX_Wirenet.A!tr.bdr

How can I learn more?

You may also be interested in our write-up of OSX/Crisis, another commercial macOS remote access Trojan that Intego discovered in July 2012, just one month before OSX/NetWeirdRC came to light. See also our latest malware write-ups.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts