Spam campaign: Netwire RAT via and MS Excel to German users


G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL.

DeepRay alarm: attacks on German customers

At noon on 13. April 2020 our monitoring system created an alert because DeepRay reported more hits than usual for one particular detection on PowerShell downloaders. The alarm system is there to see early if something goes wrong. However, this alarm went off because of a spam campaign hitting our German customers. The detections were all legitimately preventing the malware downloader from doing it's job.

We investigated the threat and also found BEAST-related entries which showed that the culprit were Excel documents delivered by email. While we do not receive the Excel or email documents themselves, we do see infection chains reported by BEAST for those customers that agreed to the Malware Information Initiative (Mii).

Infection vector: Delivery email with Excel attachment

The malicious email claims to be from DHL, a courier, parcel and express mail service in Germany. It says that the delivery address of a recent order cannot be found and that the recepient should add information to an attached document. A screenshot of an email is shown in this German article that warns about malicious Macros, which we found to be describing the same threat because of the IOCs.

A lot of people are currently getting deliveries due to Corona related lockdowns of shops, which is probably why the threat actors chose this way to deceive the user.

The document has the name Dokumentation.xls[1]. After searching for threats via Google, we found a sample on Virustotal that fits to the ongoing campaign. If opened it shows an image that requests the user to activate Macros in order to show the contents.

After enabling Macros, the Excel document activates a PowerShell command which downloads two files from and performs character replacements on them in oder to decode the files.

One of those text files[4] is seen on the left hand side below. Here the characters '@@' will be replaced by '44' and '!' by '78'.

After character replacement and converting the integers to bytes, a second obfuscation layer[5] becomes visible (image on the right side). This layer only has 'N' prepended to all byte values. Decoding it reveals the last layer, which is a .NET DLL called Hackitup[2].

Hagga delivers NetWire RAT

The other file downloaded from is an obfuscated but non-packed NetWire[3] sample. Netwire is a wide-spread remote access malware.

The aforementioned .NET DLL Hackitup[2] performs process injection for a given file. The PowerShell command calls this DLL to inject NetWire[3] into MSBuild.exe.

This kind of PowerShell downloader is typical for Hagga aka Aggah campaigns as described in this Azorult article.

Takedown of pastes stopped the campaign

After I had tweeted about the ongoing campaign, researcher @JayTHL requested the sites and reported them. They were taken down a few minutes later, effectively stopping payload delivery.

Indicators of Compromise


[1] Excel attachment
Similar to the ones used in campaign but older

[2] .NET Injection DLLHackitup




[3] NetWireMSBuild.exe



[4] Obfuscated Hackitup Layer 1
(raw download)

[5] Obfuscated Hackitup Layer 2
(first unpacking stage)

paste .ee/r/e49u0
paste .ee/r/dlOMz
paste .ee/r/gTYWf
paste .ee/r/rHoL5