Rewterz Threat Alert – Netwalker Fileless Ransomware Injected via Reflective Loading

Severity

High

Analysis Summary

Threat actors are continuously creating more sophisticated ways for malware to evade defenses. Researchers have observed Netwalker’s usage of reflective loading techniques and its move to fileless execution. The infection begins with a heavily obfuscated and encrypted PowerShell script. Once decoded and de-obfuscated, it identifies the system architecture in order to determine whether a 32-bit or 64-bit binary should be used. The relevant binary, embedded in the PowerShell script in hex format, is decoded and injected into the memory of the legitimate explorer.exe process. The script also performs the function of deleting Shadow Volume Copies to prevent file recovery. The Netwalker payload operates similar to previous versions. It first kills processes and services related to user documents, backup software, and anti-virus programs. Targeted files include user files; critical files are avoided to prevent rendering the system un-usable. Finally, encryption is performed and a ransom note is dropped providing instructions for paying the ransom in exchange for decryption.

Impact

File encryption

Indicators of Compromise

MD5

b1f0093b89561c6123070165bd2261e2

SHA-256

f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be

SHA1

aac57162dc1311f07a869f7163bd30e0d62dcc0e

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.