A Croatian national was arrested allegedly for the operation NetWire, a Remote Access Trojan (RAT) sold on cybercrime forums since 2012 as a covert way to spy on infected systems and siphon passwords. The arrest coincided with the seizure of the NetWire sales website of US Federal Bureau of Investigation (FBI). While the defendant in this case has not been publicly named, the NetWire website has been releasing information about its owner’s likely true identity and location for the past 11 years.
Usually installed by booby-trap Microsoft Office documents and distributed by email, NetWire is a multi-platform threat capable of targeting not only Microsoft Windows machines but also Android, Linux and Mac systems.
NetWire’s reliability and relatively low cost ($80-$140 depending on features) have made it a very popular RAT on cybercrime forums for years, and NetWire infections consistently rank among the top 10 most active RATs in use.
NetWire has been openly sold on the same website since 2012: worldwiredlabs[.]com. That website now features a seizure notice from US Department of Justicewhich says the domain was seized as part of “a coordinated law enforcement action taken against the NetWire Remote Access Trojan.”
“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who is allegedly the administrator of the website,” it said. a statement through US Department of Justice now. “This accused will be prosecuted by Croatian authorities. In addition, Swiss law enforcement on Tuesday seized the computer server hosting the NetWire RAT infrastructure.
Neither the DOJ statement nor a press release in the operation published by the Croatian authorities the name of the accused was mentioned. But it’s quite remarkable that it took so long for authorities in the United States and elsewhere to move against NetWire and its alleged owner, since the author of the RAT apparently did so little to hide his real life identity.
The WorldWiredLabs website first went online in February 2012 using a dedicated host with no other domains. The site’s true WHOIS registration records have always been hidden by privacy protection services, but there are many clues in the historical Domain Name System (DNS) records for WorldWiredLabs that point in the same direction.
In October 2012, the WorldWiredLabs domain moved to another dedicated server at Internet address 198.91.90.7, which is home to another domain: printschoolmedia[.]orgalso registered in 2012.
According to DomainTools.comprintschoolmedia[.]org is registered in a Mario Zanko in Zapresic, Croatia, and at the email address zankomario@gmail.com. DomainTools further shows that this email address was used to register another domain in 2012: wwlabhosting[.]comalso registered to Mario Zanko from Croatia.
An examination of the DNS records for both printschoolmedia[.]org and wwlabhosting[.]com shows that while these domains are online, they use the same DNS name server ns1.worldwiredlabs[.]com. No other domains are registered with that same name server.
The WorldWiredLabs website, as of 2013. Source: Archive.org.
DNS records for worldwiredlabs[.]com also shows the site that forwarded incoming email to the address tommaloney@ruggedinbox.com. Constella Intelligencea service that indexes information exposed in public database leaks, reveals that this email address was used to register an account with clothing retailer romwe.com, using the password “123456xx.”
Running a reverse search on this password in Constella Intelligence shows that there are over 450 email addresses known to have used this credential, and two of those are zankomario@gmail.com and zankomario@yahoo.com.
A search at zankomario@gmail.com at Skype returns three results, including the account name “Netwire” and the username “Dugidox,” and another for one Mario Zanko (username zanko.mario).
Dugidox corresponds to the hacker handle most frequently associated with NetWire discussion threads and support on many cybercrime forums over the years.
Constella ties dugidox@gmail.com to several website registrations, including the Dugidox handle on BlackHatWorld and HackForums, and to IP addresses in Croatia for both. Constella also shows the email address zankomario@gmail.com uses the password “dugidox2407.”
In 2010, someone using the email address dugidox@gmail.com registered the domain dugidox[.]com. The WHOIS registration records for that domain list a “Senela Eanko” as the registrant, but the address used is the same Zapresic street address that appears in the WHOIS records for printschoolmedia[.]org, registered in Mr. Zanco’s name.
Before the passing of Google+the email address dugidox@gmail.com is mapped to an account with the nickname “Netwire wwl.” The dugidox email is also tied to a Facebook account (mario.zanko3), featuring check-ins and photos from various places in Croatia.
That Facebook profile is no longer active, but in January 2017, the WorldWiredLabs administrator posted that he was considering adding some Android mobile-specific functionality to his service. Three days after that, Mario.Zank3’s profile posted a photo saying he had been selected for an Android training course — naturally his dugidox email was included in the photo.
Incorporation records from the UK’s Companies House show that in 2017 Mr Zanko became an officer in a company called Godbex Solutions LTD. A YouTube videos Using this company name describes Godbex as a “next generation platform” for the exchange of gold and cryptocurrencies.
UK Companies House records show that Godbex was dissolved in 2020. It also says that Mr. Zanko in July 1983, and listed his occupation as “electrical engineer.”
Mr. Zanko did not respond to multiple requests for comment.