A Croatian national was arrested for reportedly running NetWire, a Remote Access Trojan (RAT) that has been advertised on cybercrime forums since 2012 as a covert way to spy on infected systems and steal passwords. The arrest coincided with the seizure of the NetWire sales website by the Federal Bureau of Investigation in the United States (FBI). While the defendant, in this case, has not yet been publicly identified, the NetWire website has been leaking information about its owner's likely true identity and location for the past 11 years.
NetWire is a multi-platform threat that can infect not only Microsoft Windows machines but also Android, Linux, and Mac systems. It is typically installed via booby-trapped Microsoft Office documents and distributed via email. NetWire's dependability and low cost ($80-$140 depending on features) have made it a popular RAT on cybercrime forums for years, and NetWire infections consistently rank among the top ten most active RATs in use.
Since 2012, NetWire has been sold openly on the same website: worldwiredlabs[.]com. The domain was taken as part of "a coordinated law enforcement action taken against the NetWire Remote Access Trojan," according to a seizure notice from the US Department of Justice (DOJ).
“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the DOJ today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”
The name of the accused was not mentioned in either the DOJ statement or a press release issued by Croatian authorities about the operation. But it's remarkable that authorities in the United States and elsewhere have taken so long to take action against NetWire and its alleged owner, given that the RAT's author apparently did very little to conceal his true identity.
The WorldWiredLabs website was launched in February 2012 on a dedicated host with no other domains. The site's true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in WorldWiredLabs's historical Domain Name System (DNS) records that point in the same direction.
The WorldWiredLabs domain was moved to another dedicated server at the Internet address 198.91.90.7 in October 2012, which was home to only one other domain: printschoolmedia[.]org, which was also registered in 2012.
Printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address zankomario@gmail.com, according to DomainTools.com. According to DomainTools, this email address was also used to register one other domain in 2012: wwlabshosting[.]com, which was also registered to Mario Zanko from Croatia. A look at the DNS records for printschoolmedia[.]org and wwlabshosting[.]com reveals that both domains used the DNS name server ns1.worldwiredlabs[.]com while they were online. There are no other domains that use the same name server.
Worldwiredlabs[.]com DNS records also show that the site forwarded incoming email to tommaloney@ruggedinbox.com. This email address was used to register an account at the clothing retailer romwe.com, using the password "123456xx," according to Constella Intelligence, a service that indexes information exposed by public database leaks.
A reverse search on this password in Constella Intelligence reveals that it has been used by over 450 email addresses, two of which are zankomario@gmail.com and zankomario@yahoo.com. A search in Skype for zankomario@gmail.com yields three results, including the account name "Netwire" and the username "Dugidox," as well as another for a Mario Zanko (username zanko.mario).
Dugidox is the hacker handle that has been most frequently associated with NetWire sales and support discussion threads on various cybercrime forums over the years. Constella associates dugidox@gmail.com with a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, as well as Croatian IP addresses for both. According to Constella, the email address zankomario@gmail.com used the password "dugidox2407."
Someone with the email address dugidox@gmail.com registered the domain dugidox[.]com in 2010. The WHOIS records for that domain name list a "Senela Eanko" as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia[.]org, which is registered in Mr. Zanco's name.
Prior to Google+'s demise, the email address dugidox@gmail.com corresponded to an account with the nickname "Netwire wwl." The dugidox email address was also linked to a Facebook account (mario.zanko3), which included check-ins and photos from various locations throughout Croatia.
That Facebook page is no longer active, but the administrator of WorldWiredLabs stated in January 2017 that he was considering adding certain Android mobile functionality to his service. Three days later, the Mario.Zank3 profile posted a photo saying he was chosen for an Android instruction course — with his dugidox email clearly visible.
According to incorporation records from the United Kingdom's Companies House, Mr. Zanko became an officer in a company called Godbex Solutions LTD in 2017. In a YouTube video, Godbex is described as a "next generation platform" for exchanging gold and cryptocurrencies. As per Companies House records, Godbex was dissolved in 2020. Mr. Zanko was born in July 1983, and his occupation is listed as "electrical engineer."
Multiple requests for comment from Mr. Zanko went unanswered. The Croatian police have issued a statement regarding the NetWire takedown.