Rewterz Threat Alert – NetWalker Ransomware Infiltrates Networks – IoCs

Severity

High

Analysis Summary

Netwalker ransomware attacks on foreign government organizations, education entities, private companies, and health agencies have been observed. Following a successful intrusion, Netwalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options. 
In March 2020, Netwalker spread through a Visual Basic Scripting (VBS) script attached to COVID-19 phishing e-mails that executed the payload once opened. In April 2020, actors using Netwalker began gaining unauthorized access to victim networks by exploiting unpatched Virtual Private Network (VPN) appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections.

Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935). Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable. 
Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.

Impact

• Files encryption
• Data Theft
• Unauthorized Access
• Information disclosure
• Network-wide infection

Indicators of Compromise

Filename

• qeSw[.]exe
• Invoke-Mimikatz[.]ps1
• mimikatzN[.]exe
• CORONAVIRUS_COVID-19[.]vbs
• Invoke-mimikittenz[.]ps1
• mimikatz[.]exe
• pwdump7[.]exe

From Email

• 2hamlampampom@cock[.]li
• galgalgalgalk@tutanota[.]com
• johprohnpo@cock[.]li
• cancandecan@tutanota[.]com
• galgalgalgawk@tutanota[.]com
• kavariusing@tutanota[.]com
• eeaammzzyy@cock[.]li
• hamlampampom@cock[.]li
• kazkavkovkiz@cock[.]li
• eeaammzzyy@tuta[.]io
• hariliuios@tutanota[.]com
• kkeessnnkkaa@cock[.]li
• eeeooppaaaxxx@tuta[.]io
• hhaaxxhhaaxx@tuta[.]io
• kkkwwwsvvv@cock[.]li
• knoocknoo@cock[.]li
• pabpabtab@tuta[.]io
• sevenoneone@cock[.]li
• kokbiglock@cock[.]li
• repairdb@seznam[.]cz
• sevenonone@cock[.]li
• kokoklock@cock[.]li
• rrrkkktttaaa@cock[.]li

MD5

• 258ed03a6e4d9012f8102c635a5e3dcd
• 73de5babf166f28dc81d6c2faa369379
• 3d6203df53fcaa16d71add5f47bdd060
• 7a1288c7be386c99fad964dbd068964f
• 5b80cbbdcb697c0b8ec26e6cf0ff305c
• 993b73d6490bc5a7e23e02210b317247
• 27304b246c7d5b4e149124d5f93c5b01
• 8fbc17d634009cb1ce261b5b3b2f2ecb
• 59881abed688ceba3d67c2ff22076ad8
• 6a64553da499c1d9a64d97f4de3882f5

SHA-256

• 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
• 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
• 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
• 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
• ad8d379a4431cabd079a1c34add903451e11f06652fe28d3f3edb6c469c43893
• de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d
• 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
• 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c

SHA1

• 655352e00c7e478c3fed38bc6f407982dec3768d
• a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
• 6fd314af34409e945504e166eb8cd88127c1070e
• e393a9ecf0d0a8babaa5efcc34f10577aff1cad1

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems, applications and software updated to latest patched versions against all known security vulnerabilities.
• Maintain a strong password policy.