Feds seize website selling Trojan malware used by hackers worldwide since 2012


US authorities have taken down a seemingly legitimate website domain that had been marketing and selling a Trojan malware program used by cybercriminals on a global scale for over a decade.

The international intelligence coalition, led by the US Federal Bureau of Investigation (FBI), took hold of the internet domain worldwiredlabs dot com Tuesday after a three year investigation.

The FBI became suspicious of the site after it was identified as the only known online distributor of a malware program known as NetWire.

ADVERTISEMENT

Agents went undercover on the website posing as buyers looking to customize the software.

NetWire is "a sophisticated program capable of targeting and infecting every major computer operating system," the FBI said.

The website marketed the malware “as a legitimate business tool to maintain computer infrastructure,” according to a US Department of Justice (DoJ) affidavit.

Instead, the affidavit states, NetWire is a malicious software program well used by threat actors and advertised freely on hacking forums.

“Criminals used NetWire on a global scale, and we have responded by dismantling the infrastructure that has caused untold harm to victims around the world,” said United States Attorney Martin Estrada.

Still present on Twitter, the World Wired Labs account profile shows it was created in March 2013. Its only tweet links to the company’s home page, now showing this FBI announcement.

“This Website Has Been Seized as part of a coordinated law enforcement action taken against the NetWire Remote Access Trojan,” the site reads.

worldwiredlabs.com seized
ADVERTISEMENT

The NetWire software is defined as a typical Remote Access Trojan (RAT) – designed to infiltrate a computer system, remain undetected, and pilfer sensitive information by taking control of the infected network using a command server set up at an alternate location, unbeknownst to the victim.

Multiple cybersecurity companies and government agencies have documented instances of the NetWire RAT being used in criminal activity, the DoJ stated.

“By removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office.

The alleged administrator of the site, a Croatian national, was arrested in his home country as part of the operation.

The NetWire remote command and control server was seized by Swiss authorities, also on Tuesday.

“The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cybercriminals,” Alway said.

One shady review site from 2013, offering free downloads of NetWire software, gave the “advanced remote control utility” its highest five-star rating, calling it "essential."

“NetWire allows you to monitor and control multiple computers at the same time. You can set bandwidth limitations, monitor keystrokes, transfer files and more. The software is cross platform, which means that you may control other machines, with different operating systems,” the review states.

In 2020, a research report by BlackBerry raised questions about the World Wired Labs site being a shell company for Chinese hackers based on the similarity of NetWire to another known remote Trojan (used by Chinese government-backed hacking groups.

NetWire has been used in attacks ranging from credit-card fraud to those targeting the healthcare and banking sectors, Reuters reports.

ADVERTISEMENT

The feds did not reveal how many times NetWire was bought off the seized website.