- Apr 9, 2020
- 659
My writeup of a Netwire spam campaign targeting Germany yesterday.
Spam campaign delivers Netwire RAT via paste.ee to German users
G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL.
www.gdatasoftware.com
At noon on 13. April 2020 our monitoring system created an alert because DeepRay reported more hits than usual for one particular detection on PowerShell downloaders. The alarm system is there to see early if something goes wrong. However, this alarm went off because of a spam campaign hitting our German customers. The detections were all legitimately preventing the malware downloader from doing it's job.
We investigated the threat and also found BEAST-related entries which showed that the culprit were Excel documents delivered by email. While we do not receive the Excel or email documents themselves, we do see infection chains reported by BEAST for those customers that agreed to the Malware Information Initiative (Mii).
...