• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Lazarus APT Spreads VHD Ransomware
July 29, 2020
Rewterz Threat Alert – Emotet Malware Steals Email Attachments to Attack Contacts
July 29, 2020

Rewterz Threat Alert – NetWalker Ransomware Infiltrates Networks – IoCs

July 29, 2020

Severity

High

Analysis Summary

Netwalker ransomware attacks on foreign government organizations, education entities, private companies, and health agencies have been observed. Following a successful intrusion, Netwalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options. 
In March 2020, Netwalker spread through a Visual Basic Scripting (VBS) script attached to COVID-19 phishing e-mails that executed the payload once opened. In April 2020, actors using Netwalker began gaining unauthorized access to victim networks by exploiting unpatched Virtual Private Network (VPN) appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections.

Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935). Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable. 
Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.

Impact

  • Files encryption
  • Data Theft
  • Unauthorized Access
  • Information disclosure
  • Network-wide infection

Indicators of Compromise

Filename

  • qeSw[.]exe
  • Invoke-Mimikatz[.]ps1
  • mimikatzN[.]exe
  • CORONAVIRUS_COVID-19[.]vbs
  • Invoke-mimikittenz[.]ps1
  • mimikatz[.]exe
  • pwdump7[.]exe

From Email

  • 2hamlampampom@cock[.]li
  • galgalgalgalk@tutanota[.]com
  • johprohnpo@cock[.]li
  • cancandecan@tutanota[.]com
  • galgalgalgawk@tutanota[.]com
  • kavariusing@tutanota[.]com
  • eeaammzzyy@cock[.]li
  • hamlampampom@cock[.]li
  • kazkavkovkiz@cock[.]li
  • eeaammzzyy@tuta[.]io
  • hariliuios@tutanota[.]com
  • kkeessnnkkaa@cock[.]li
  • eeeooppaaaxxx@tuta[.]io
  • hhaaxxhhaaxx@tuta[.]io
  • kkkwwwsvvv@cock[.]li
  • knoocknoo@cock[.]li
  • pabpabtab@tuta[.]io
  • sevenoneone@cock[.]li
  • kokbiglock@cock[.]li
  • repairdb@seznam[.]cz
  • sevenonone@cock[.]li
  • kokoklock@cock[.]li
  • rrrkkktttaaa@cock[.]li

MD5

  • 258ed03a6e4d9012f8102c635a5e3dcd
  • 73de5babf166f28dc81d6c2faa369379
  • 3d6203df53fcaa16d71add5f47bdd060
  • 7a1288c7be386c99fad964dbd068964f
  • 5b80cbbdcb697c0b8ec26e6cf0ff305c
  • 993b73d6490bc5a7e23e02210b317247
  • 27304b246c7d5b4e149124d5f93c5b01
  • 8fbc17d634009cb1ce261b5b3b2f2ecb
  • 59881abed688ceba3d67c2ff22076ad8
  • 6a64553da499c1d9a64d97f4de3882f5

SHA-256

  • 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
  • 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
  • 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
  • 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
  • ad8d379a4431cabd079a1c34add903451e11f06652fe28d3f3edb6c469c43893
  • de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d
  • 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
  • 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c

SHA1

  • 655352e00c7e478c3fed38bc6f407982dec3768d
  • a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
  • 6fd314af34409e945504e166eb8cd88127c1070e
  • e393a9ecf0d0a8babaa5efcc34f10577aff1cad1

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems, applications and software updated to latest patched versions against all known security vulnerabilities.
  • Maintain a strong password policy.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.