VERY IMPORTANT

A few days ago, FortiGuard Labs harvested a fresh Excel sample from the wild being used in an IRS phishing lure. I did a deep analysis on it and found that it was spreading a new NetWire RAT variant using an Excel 4.0 Macro. In this post, we will look at how this Excel 4.0 Macro executes in a Excel file, how the NetWire RAT is installed on the victim’s system, as well as what this NetWire RAT variant actually does once it is installed.