A Croatian nationwide has been arrested for allegedly working NetWire, a Remote Access Trojan (RAT) marketed on cybercrime boards since 2012 as a stealthy method to spy on contaminated techniques and siphon passwords. The arrest coincided with a seizure of the NetWire gross sales web site by the U.S. Federal Bureau of Investigation (FBI). While the defendant on this case hasn’t but been named publicly, the NetWire web site has been leaking details about the doubtless true id and site of its proprietor for the previous 11 years.
Typically put in by booby-trapped Microsoft Office paperwork and distributed through e mail, NetWire is a multi-platform risk that’s able to concentrating on not solely Microsoft Windows machines but in addition Android, Linux and Mac techniques.
NetWire’s reliability and comparatively low value ($80-$140 relying on options) has made it an especially well-liked RAT on the cybercrime boards for years, and NetWire infections constantly rank among the many prime 10 most energetic RATs in use.
NetWire has been bought brazenly on the identical web site since 2012: worldwiredlabs[.]com. That web site now contains a seizure discover from the U.S. Department of Justice, which says the area was taken as a part of “a coordinated law enforcement action taken against the NetWire Remote Access Trojan.”
“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a press release by the U.S. Department of Justice at this time. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”
Neither the DOJ’s assertion nor a press launch on the operation revealed by Croatian authorities talked about the title of the accused. But it’s pretty outstanding that it has taken so lengthy for authorities within the United States and elsewhere to maneuver in opposition to NetWire and its alleged proprietor, provided that the RAT’s writer apparently did little or no to cover his real-life id.
The WorldWiredLabs web site first got here on-line in February 2012 utilizing a devoted host with no different domains. The website’s true WHOIS registration data have at all times been hidden by privateness safety providers, however there are many clues in historic Domain Name System (DNS) data for WorldWiredLabs that time in the identical route.
In October 2012, the WorldWiredLabs area moved to a different devoted server on the Internet deal with 198.91.90.7, which was residence to only one different area: printschoolmedia[.]org, additionally registered in 2012.
According to DomainInstruments.com, printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the e-mail deal with zankomario@gmail.com. DomainInstruments additional reveals this e mail deal with was used to register one different area in 2012: wwlabshosting[.]com, additionally registered to Mario Zanko from Croatia.
A overview of DNS data for each printschoolmedia[.]org and wwlabshosting[.]com reveals that whereas these domains had been on-line they each used the DNS title server ns1.worldwiredlabs[.]com. No different domains have been recorded utilizing that very same title server.
The WorldWiredLabs web site, in 2013. Source: Archive.org.
DNS data for worldwiredlabs[.]com additionally present the location forwarded incoming e mail to the deal with tommaloney@ruggedinbox.com. Constella Intelligence, a service that indexes info uncovered by public database leaks, reveals this e mail deal with was used to register an account on the clothes retailer romwe.com, utilizing the password “123456xx.”
Running a reverse search on this password in Constella Intelligence reveals there are greater than 450 e mail addresses recognized to have used this credential, and two of these are zankomario@gmail.com and zankomario@yahoo.com.
A search on zankomario@gmail.com in Skype returns three outcomes, together with the account title “Netwire” and the username “Dugidox,” and one other for a Mario Zanko (username zanko.mario).
Dugidox corresponds to the hacker deal with most continuously related to NetWire gross sales and help dialogue threads on a number of cybercrime boards over time.
Constella ties dugidox@gmail.com to numerous web site registrations, together with the Dugidox deal with on BlackHatWorld and HackForums, and to IP addresses in Croatia for each. Constella additionally reveals the e-mail deal with zankomario@gmail.com used the password “dugidox2407.”
In 2010, somebody utilizing the e-mail deal with dugidox@gmail.com registered the area dugidox[.]com. The WHOIS registration data for that area listing a “Senela Eanko” because the registrant, however the deal with used was the identical avenue deal with in Zapresic that seems within the WHOIS data for printschoolmedia[.]org, which is registered in Mr. Zanco’s title.
Prior to the demise of Google+, the e-mail deal with dugidox@gmail.com mapped to an account with the nickname “Netwire wwl.” The dugidox e mail additionally was tied to a Facebook account (mario.zanko3), which featured check-ins and photographs from varied locations in Croatia.
That Facebook profile is not energetic, however again in January 2017, the administrator of WorldWiredLabs posted that he was contemplating including sure Android cellular performance to his service. Three days after that, the Mario.Zank3 profile posted a photograph saying he was chosen for an Android instruction course — together with his dugidox e mail within the picture, naturally.
Incorporation data from the U.Ok.’s Companies House present that in 2017 Mr. Zanko grew to become an officer in an organization known as Godbex Solutions LTD. A Youtube video invoking this company title describes Godbex as a “next generation platform” for exchanging gold and cryptocurrencies.
The U.Ok. Companies House data present Godbex was dissolved in 2020. It additionally says Mr. Zanko was born in July 1983, and lists his occupation as “electrical engineer.”
Mr. Zanko didn’t reply to a number of requests for remark.