{"id":16391,"date":"2019-09-23T15:20:42","date_gmt":"2019-09-23T23:20:42","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/09\/23\/news-10132\/"},"modified":"2019-09-23T15:20:42","modified_gmt":"2019-09-23T23:20:42","slug":"news-10132","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/23\/news-10132\/","title":{"rendered":"New NetWire RAT Variant Being Spread Via Phishing"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>A FortiGuard Labs Threat Analysis<\/i><\/p>\n<h2>Background<\/h2>\n<p>NetWire is a Remote Access Trojan (RAT) malware that has been widely used for many years. Recently, FortiGuard Labs noticed a malware spreading via phishing email, and during the analysis on it, we discovered that it was a new variant of NetWire RAT.<\/p>\n<p>In this analysis, I am going to present what this new variant does on a victim\u2019s system.<\/p>\n<h2>NetWire Being Spread via Phishing Email<\/h2>\n<p>Figure 1, below, is a screenshot of the phishing email content. It contains a PDF-like picture at the bottom with a hyperlink pointing to the download link of NetWire. Once a victim clicks on it, the malware file is downloaded on to the victim\u2019s system.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 1. The phishing email containing a picture and the download link \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The phishing email containing a picture and the download link <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see, the malware file download link is: \u201c<i>hxxps[:]\/\/www[.]mediafire[.]com\/file\/d86hz5qj21lmhrb\/PROFORMA-INVOICE_0990.7z\/file<\/i>\u201d.<\/p>\n<p>The downloaded file is a 7z file, which contains the new variant of NetWire RAT. After decompressing it, we are able to get an EXE file with the name of \u201cPROFORMA-INVOICE 0990.exe\u201d.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_1536050599.img.png\" alt=\"Figure 2. Decompressing the 7z file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Decompressing the 7z file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Anti-Analysis Techniques<\/h2>\n<p>This variant of NetWire was compiled using MS Visual Basic. It uses many anti-analysis techniques to protect it from being analyzed.<\/p>\n<ol>\n<li>It dynamically extracts malicious code onto its memory and executes it. This makes it harder to perform a static analysis.<\/li>\n<li>Right from the beginning, it stops running until the victim moves their mouse. It does this by comparing the mouse cursor position twice. A non-matching result means mouse has been moved. This technique is used for anti-sandboxing.<\/li>\n<\/ol>\n<p>Figure 3 shows that it calls the API USER32.GetCursorPos() twice to obtain two mouse cursor positions and then compares them. If they are same (victim not moving mouse), it stops running, and after sleeping it checks again. It does this repeatedly until the results are different.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_1156221435.img.png\" alt=\"Figure 3. Checking to see if the victim has moved the mouse\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Checking to see if the victim has moved the mouse<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">3. Anti-Debugging techniques are also used. It detects if hardware breakpoints, memory breakpoints, and a one-step breakpoint have been set. Other than that, each time it calls several key API functions, it first checks to see if the API had a soft breakpoint set by a debugger.<\/p>\n<p>Below is a code snippet of it performing this detection:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><body>  <\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;call&nbsp; dword ptr [ebp+110]&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><strong><span style=\"color: #00b050; background: #D9D9D9;\">kernel32.GetCurrentThread<\/span><\/strong><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;push&nbsp; dword ptr [edi+4000]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;push&nbsp; eax<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;call&nbsp; dword ptr [ebp+104]&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><strong><span style=\"color: #00b050; background: #D9D9D9;\">ntdll.ZwGetContextThread<\/span><\/strong><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;eax, 0<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;mov&nbsp; &nbsp;eax, dword ptr [edi+4000]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+4], 0&nbsp;&nbsp;&nbsp;&nbsp; ; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr0<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+8], 0&nbsp;&nbsp;&nbsp;&nbsp; ; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr1<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+C], 0&nbsp;&nbsp;&nbsp;&nbsp; ; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr2<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+10], 0&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr3<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+14], 0&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr6<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [eax+18], 0&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Dr7<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;pop&nbsp; &nbsp;eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">Key API address, like kernel32.CreateProcessInternalW<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;mov&nbsp; &nbsp;bl, byte ptr [eax]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;bl, 0CC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">check soft breakpoint<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;je&nbsp;&nbsp; short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;mov&nbsp; &nbsp;bx, word ptr [eax]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;bx, 3CD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">check soft breakpoint<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;je&nbsp;&nbsp; short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;mov&nbsp; &nbsp;bx, word ptr [eax]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;bx, 0B0F&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">check soft breakpoint<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;je&nbsp;&nbsp; short 00391EA5<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;call&nbsp; eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;; <\/span><span style=\"color: #00b050; background: #D9D9D9;\">call the API like kernel32.CreateProcessInternalW<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;movd&nbsp; ecx, mm1<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;movd&nbsp; edx, mm3<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;sub&nbsp; &nbsp;edx, 4 <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: #0070c0; background: #D9D9D9;\">loc_391E95:<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;xor&nbsp; &nbsp;dword ptr [edx], ecx<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;sub&nbsp; &nbsp;edx, 4<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;cmp&nbsp; &nbsp;dword ptr [edx+4], 41414141<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jnz&nbsp; &nbsp;short 00391E95<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jmp&nbsp; &nbsp;ecx<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: #0070c0; background: #D9D9D9;\">loc_391EA5:<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;sub&nbsp; &nbsp;esp, 100<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;sub&nbsp; &nbsp;ebp, 100<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;popad <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 27pt; text-indent: 9.35pt; line-height: normal; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;jmp&nbsp; &nbsp;eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<\/span><strong><span style=\"color: red; background: #D9D9D9;\">;;;; Jump to random address to crash itself<\/span><\/strong><span style=\"color: red; background: #D9D9D9;\">.<\/span><\/em><\/p>\n<p>  <\/body>  <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It also calls the API ntdll.ZwGetContextThread to obtain the current thread context structure, which contains the CPU debug register status. Once the debugger sets hardware breakpoints, the CPU registers that Dr0, Dr1, Dr2, Dr3, Dr6 and Dr7 are not zero. Register eax is an API address. It checks the address at beginning to see if they are set to 0CC, 3CD and 0B0F, which are the opcodes of soft breakpoints (Int 3). Once one of above conditions is triggered, NetWire goes to a random address to crash itself. Then Windows will pop up a crash message, like the one shown in Figure 4.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_583467490.img.png\" alt=\"Figure 4. Anti-Debugging is triggered\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Anti-Debugging is triggered<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">4. Like most malware, NetWire spawns a suspended child process of itself, and then modifies its memory and its thread context data. In this case, it only modifies the OEP value in the thread context. When everything is ready, the parent process resumes the child process and exits. The true code of NetWire was extracted to overwrite the existing code in the child process and it is executed there. This way, the malware can make itself harder to be analyzed.<\/p>\n<h2>Analysis of The Child Process<\/h2>\n<p>The OEP of the true code of the new NetWire variant is called in a thread. It starts by initializing several global variables and Windows Sockets by calling the API <i>WSAStartup()<\/i>. Next, it decrypts some encrypted strings.<\/p>\n<p>It checks to see if the current executable file is located in the correct folder (%AppData%Install) and has right file name (Host.exe). If not, it relocates the file into \u201c%AppData%Install\u201d and renames it as \u201cHost.exe\u201d.<\/p>\n<p>It then runs the relocated file and exits the current process. The new process then performs all of the above procedures again. Figure 5 is the screenshot of the process tree. You can see the process where NetWire was relocated to \u201cC:Usersuser_nameAppDataRoamingInstallHost.exe\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_994299198.img.png\" alt=\"Figure 5. The relocated NetWire\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. The relocated NetWire<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>NetWire continues to create its home key (HKCUSOFTWARENetWire) as well as adding it into the auto-run group in the victim\u2019s registry. In this way, it runs automatically when the infected system starts. Figure 6 shows the screenshot of the Registry Editor.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_1124473103.img.png\" alt=\"Figure 6. NetWire is added in Auto-run group in the system registry\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. NetWire is added in Auto-run group in the system registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>NetWire creates a log folder to store the log files of information that it collects from the victim\u2019s system. The log folder is located at \u201c%AppData%Logs\u201d. It then calls the <i>_beginthreadex()<\/i> function to start a thread, the thread function of which registers a window class, whose window procedure function is a keylogger. It then records all of the victim\u2019s keyboard actions, times, as well as the titles of what the victim is typing on. The recorded data is encoded and stored in a log file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_1683644067.img.png\" alt=\"Figure 7. Encoded Keylogger log file and its decoded content\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Encoded Keylogger log file and its decoded content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The left side of Figure 7 is the encoded keylogger record and the right side is the plaintext content that was decoded by my python script. As you can see in the red rectangle, what it has harvested is a website that I typed in on Google Chrome browser.<\/p>\n<h2>Communicating with the C&amp;C Server<\/h2>\n<p>It obtains the IP address of C&amp;C server from a DNS service. Its domain is found in the decrypted string, which for this variant is \u201cgbam0001.duckdns[.]org:3366\u201d.<\/p>\n<p>Since its C&amp;C server was down at the time I started to analyze this new variant, I used a fake C&amp;C server on one of my test systems to send the crafted response packet used in my analysis.<\/p>\n<p>Once the connection with its server is established, NetWire starts waiting for the C&amp;C server to reply with a \u201c9B\u201d command packet, which I crafted to feed it from the fake C&amp;C server.<\/p>\n<p>NetWire has a function that I call \u201cTask_Fun()\u201d to handle all of the commands from the C&amp;C server. Once NetWire receives the \u201c9B\u201d command, Task_Fun() handles it in a sub procedure which collects the victim\u2019s computer basic information and sends back to the C&amp;C server.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_1596356863.img.png\" alt=\"Figure 8. Collected victim\u2019s computer information is sent to C&amp;C server\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Collected victim\u2019s computer information is sent to C&amp;C server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 8 shows is a packet that is about to be sent to the C&amp;C server. The first four bytes are \u201c56\u201d in hexadecimal, which is the size of the followed data. \u201c9B\u201d is the command number. The rest is the payload data. \u201c07\u201d is a special separator to separate different data fields.<\/p>\n<p>All the packets have the same structure as below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image_512340195.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>From the \u201c9B\u201d packet, we can see NetWire harvested the following information from the victim\u2019s system:<\/p>\n<ol>\n<li>Current login User name collected by calling the API <i>GetUserNameA() <\/i>or from the system environment variable.<\/li>\n<li>Victim\u2019s Computer name by calling the API <i>GetComputerNameA()<\/i> .<\/li>\n<li>Victim\u2019s Windows version information by calling the API <i>GetVersionExA().<\/i><\/li>\n<li>The topmost application title. It is Google Chrome in this analysis.<\/li>\n<li>Victim\u2019s computer\u2019s current time. It is \u201c2019-09-14 16:59:34\u201d in this analysis.<\/li>\n<li>Computer\u2019s IP address. It is \u201c10.0.2.15\u201d in this analysis.<\/li>\n<\/ol>\n<p>This new variant of NetWire currently only supports the \u201c9B\u201d command.<\/p>\n<h2>What More Can This NetWire Variant Do?<\/h2>\n<p>As I mentioned above, the function Task_Fun() handles the commands, with one sub procedure called for one command. Other than the \u201c9B\u201d command, it has more than 80 sub procedures. That means it can handle more than 80 commands sent from the C&amp;C server.<\/p>\n<p>These are the entire feature set that this new NetWire variant supports. Let\u2019s take a look at them and see what they can do on the victim\u2019s system.<\/p>\n<p style=\"margin-left: 40.0px;\">1. Obtains a time value how long the victim has been inactive since the last input.<br \/> <b style=\"\">Command number<\/b>: 097h<\/p>\n<p> 2. Executes a downloaded executable file or an existing local file like \u201ccmd.exe\u201d.<br \/> <b style=\"\">Command numbers<\/b>: 09Ch, 09Ch, 0A3h, 0AFh, 0B6h, 0C3h\u00a0\u00a0<\/p>\n<p style=\"margin-left: 40.0px;\">3. Performs actions including: exit NetWire process, close the socket to C&amp;C server, read a value from its home key in the system registry, reset or delete a specified registry key, delete the NetWire executable file and relocate its executable file (\u201cHost.exe\u201d).<br \/> <b style=\"\">Command numbers<\/b>: 09Fh, 0A0h, 0A1h, 0A2h, 0AEh, 0E5h, 0E7h<\/p>\n<p style=\"margin-left: 40.0px;\">4. Collects the partition and hard driver information of the victim\u2019s system; obtains file information in a specified folder; obtains file information by specified file type; creates specified directory and file, writes content to a specified file; deletes, relocates a specified file, and other file related operations.<br \/> <b style=\"\">Command numbers<\/b>: 09Fh, 0A0h, 0A1h, 0A2h, 0AEh, 0AFh, 0B0h ~ 0B5h, 0B7h, 0DFh, 0E8h<\/p>\n<p style=\"margin-left: 40.0px;\">5. Steals and collects credentials stored in the victim\u2019s system by different software. It focuses on these: 360Chrom, Opera, Mozilla Firefox, Mozilla SeaMonkey, Google Chrome, Comodo Dragon browser, YandexBrowser, Brave-Browser, Mozilla Thunderbird, Microsoft Outlook and Pidgin. It also reads the victim&#8217;s browser history records from the history folder.<br \/> <b style=\"\">Command numbers<\/b>: 0D4h, 0D5h, 0D6h, 0D7h, 0D8h, 0D9h. <\/p>\n<p style=\"margin-left: 40.0px;\">6. Operates the log files in its folder (\u201c%AppData%Log\u201d), including enumerate log files, get specified log file attribute, read and delete a specified log file.<br \/> <b style=\"\">Command numbers<\/b>: 0CCh, 0CEh, 0CFh, 0D0h.<\/p>\n<p style=\"margin-left: 40.0px;\">7. Obtains window handles that are created on the victim\u2019s device; sends a windows message to a window by specified windows handle; obtains information of all running processes on the victim\u2019s device; kills a running process using a given process ID; obtains a list of TCP or UDP endpoint information (TCP or UDP, local and remote IP address, port, status) as well as the process information (process name, process id) that connects this endpoint.<\/p>\n<p>Below is an example of collected endpoint data from my test system:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><body>  <\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8050<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 73 76 63 68 6F 73 74 2E 65 78 65 07 37 30 38 07 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">svchost.exe708<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8060<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 54 43 50 07 30 2E 30 2E 30 2E 30 3A 31 33 35 07 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">TCP0.0.0.0:135<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8070<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 30 2E 30 2E 30 2E 30 3A 30 07 4C 69 73 74 65 6E <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">0.0.0.0:0Listen<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8080<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 69 6E 67 2E 2E 2E 07 6E 63 2E 65 78 65 07 33 34 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">ing&#8230;nc.exe34<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8090<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 32 38 07 54 43 50 07 30 2E 30 2E 30 2E 30 3A 34 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">28TCP0.0.0.0:4<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80A0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 34 33 07 30 2E 30 2E 30 2E 30 3A 30 07 4C 69 73 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">430.0.0.0:0Lis<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80B0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 74 65 6E 69 6E 67 2E 2E 2E 07 53 79 73 74 65 6D <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">tening&#8230;System<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80C0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 07 34 07 54 43 50 07 30 2E 30 2E 30 2E 30 3A 34 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">4TCP0.0.0.0:4<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80D0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 34 35 07 30 2E 30 2E 30 2E 30 3A 30 07 4C 69 73 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">450.0.0.0:0Lis<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80E0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 74 65 6E 69 6E 67 2E 2E 2E 07 77 6D 70 6E 65 74 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">tening&#8230;wmpnet<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D80F0<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 77 6B 2E 65 78 65 07 32 37 32 30 07 54 43 50 07 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">wk.exe2720TCP<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8100<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 30 2E 30 2E 30 2E 30 3A 35 35 34 07 30 2E 30 2E <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">0.0.0.0:5540.0.<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8110<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 30 2E 30 3A 30 07 4C 69 73 74 65 6E 69 6E 67 2E <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">0.0:0Listening.<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8120<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 2E 2E 07 53 79 73 74 65 6D 07 34 07 54 43 50 07 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">..System4TCP<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8130<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 30 2E 30 2E 30 2E 30 3A 32 38 36 39 07 30 2E 30 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">0.0.0.0:28690.0<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><strong><span style=\"color: black; background: #D9D9D9;\">1E6D8140<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> 2E 30 2E 30 3A 30 07 4C 69 73 74 65 6E 69 6E 67 <\/span><span style=\"color: #c0504d; background: #D9D9D9;\">.0.0:0Listening<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt 22.5pt; line-height: normal; font-family: Calibri, sans-serif;\"><span style=\"color: black; background: #D9D9D9;\">[&hellip;]<\/span><\/p>\n<p>  <\/body>  <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\"><b>Command numbers<\/b>: 0BEh, 0C0h, 0C1h, 0C2h, 0E3h.<\/p>\n<p style=\"margin-left: 40.0px;\">8. Collects the victim\u2019s computer basic information, which include the current user name, logon session information, computer name, CPU information, Windows version, memory status, network status, and Windows installation path. It also collects the PowerShell installation path, NetWire executable file full path, and its Log folder full path, etc.<br \/> <b>Command numbers<\/b>: 0BAh, 0BCh.<\/p>\n<p style=\"margin-left: 40.0px;\">9. Controls the victim\u2019s input devices, including the Keyboard and Mouse. By sending keybd_event and mouse_event, it can simulate Keyboard and Mouse operations.<br \/> <b>Command numbers<\/b>: 0C5h, 0C6h, 0C7h, 0C8h.<\/p>\n<p style=\"margin-left: 40.0px;\">Once the above command action is finished, it sends packets to its C&amp;C server with execution status or the data it collected.<\/p>\n<h2>Solutions<\/h2>\n<p>The original downloading URL in the phishing email and the domain of the C&amp;C server are both rated as \u201c<b>Malicious Websites<\/b>\u201c by the FortiGuard Web Filtering service.<\/p>\n<p>The 7z file and decompressed exe file are detected as \u201c<b>W32\/NetWire.A!tr<\/b>\u201d by the FortiGuard Antivirus service.<\/p>\n<h2>Sample SHA256<\/h2>\n<p>[PROFORMA-INVOICE 0990.exe]<br \/> C9EC52AE2DDB993E2DA0EFD4FBAB0BFECDC7CC6DA16E446AC9C92E7981733E6E<\/p>\n<p>[PROFORMA-INVOICE 0990.7z]<br \/> 56BB4AAC4E52FD5D71824782D1DBE05D4209045C1E5DD80936690E81652183B8<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/IVBNsySDLTY\/new-netwire-rat-variant-spread-by-phishing.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-netwire-rat-variant-spread-by-phishing\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>FortiGuard Labs recently discovered a new NetWire RAT variant spreading via phishing email. Learn more about this malware.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/IVBNsySDLTY&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16391","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16391"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16391\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16391"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}