WiryJMPer is a dropper trojan that uses a novel obfuscation method to disguise its operations on affected systems. It is infecting computers with a Netwire malicious payload hidden between two benign binaries and using obfuscation to fly under the radar of most anti-malware solutions.
At the time of publication, WiryJMPer is distributed as a binary file disguised as the legitimate application ABBC Coin Wallet (specifically version 3.9.1).
It is presently unclear how this application is delivered, although there are unconfirmed reports indicating it is downloaded from third-party hosting sites. This file contains a sizeable amount of content from the WinBin2Iso (version 3.16) file converter, and uses multiple JMP loop-handling instructions to prevent static analysis and security tools from detecting it’s presence.
When executed, WiryJMPer will create a bespoke virtual machine (VM) in memory to decrypt and combine several separate code sections contained within its binary to produce the intended payloads. Once these are installed, the VM is used to initiate a connection to a command and control server. WiryJMPer will also attempt to install legitimate versions of both ABBC Coin Wallet and WinBin2Iso.
NetWire (also known as Recam or NetWiredRC) is a remote access trojan (RAT) widely used since 2012 with remote control capabilities and a focus on keylogging and password-stealing that enables attackers to gain unauthorized access and remotely control their victims’ computers, among a host of other things.
Further details can be found here – https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/
Netwire C&C servers
f1963b44a9c887f02f6e9574aea863974be57a033600047b8e0911f9dbcb9914 - Analyzed sample 7477159797a7f06e3c153662bfef624d056e64b552f455fe53e80f0afb0a1860 - ABBC Coin wallet 6daa1ff03fdbbb58b1f41d2f7dc550ee97fc5b957252b7f1703c81c50b3d406f - Netwire payload