Netwalker malware: What it is, how it works and how to prevent it | Malware spotlight


Netwalker is a data encryption malware that represents an evolution of the well-known Kokoklock ransomware and has been active since September 2019. This article will detail the specific technical features of the Netwalker ransomware. We will analyze what Netwalker is, how it works and how you can avoid falling victim to this threat.

In the new version of this piece of ransomware, the threat is not compiled into a PE file. Threat actors are using PowerShell scripts to load the threat into the memory (using a well-known technique called reflective loading) and make it a fileless threat, more difficult to detect and analyze. For that, malware operators achieve persistence and evade detection by abusing tools that are already in the system to initiate attacks.

Recent samples of Netwalker are not distributed via social engineering attacks. Instead, it is loaded into the memory via DLL injection during a targeted attack. Thus, it doesn’t need a Windows loader to execute. This is a technique used for several PowerShell scripts, such as PowerSploit’s Invoke-Mimikatz, during Red Team operations. Figure 1 shows the PowerShell script used to initiate the infection process. [CLICK IMAGES TO ENLARGE]

Figure 1: PowerShell script with the malicious payload encoded in Base64

After decoding the initial payload, a byte array is obtained. As shown in Figure 2, an XOR call is used with the key “0xA9” in order to obtain the next stage.

Figure 2: Byte array and XOR call executed during the ransomware infection process

When the task is terminated, the obfuscation phase is skipped. Now, a readable form of the script is obtained. Two DLL files are coded in two-byte arrays along with the source code responsible for executing the encryption process. Notice that the code is quite obfuscated in order to make its analysis difficult.

Figure (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: