Rewterz Threat Alert – NetWalker Ransomware Infiltrates Networks – IoCs

July 29, 2020

Severity

High

Analysis Summary

Netwalker ransomware attacks on foreign government organizations, education entities, private companies, and health agencies have been observed. Following a successful intrusion, Netwalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options.
In March 2020, Netwalker spread through a Visual Basic Scripting (VBS) script attached to COVID-19 phishing e-mails that executed the payload once opened. In April 2020, actors using Netwalker began gaining unauthorized access to victim networks by exploiting unpatched Virtual Private Network (VPN) appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections.

Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935). Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.
Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.

Impact

Files encryption
Data Theft
Unauthorized Access
Information disclosure
Network-wide infection

Indicators of Compromise

Filename

qeSw[.]exe
Invoke-Mimikatz[.]ps1
mimikatzN[.]exe
CORONAVIRUS_COVID-19[.]vbs
Invoke-mimikittenz[.]ps1
mimikatz[.]exe
pwdump7[.]exe

From Email

2hamlampampom@cock[.]li
galgalgalgalk@tutanota[.]com
johprohnpo@cock[.]li
cancandecan@tutanota[.]com
galgalgalgawk@tutanota[.]com
kavariusing@tutanota[.]com
eeaammzzyy@cock[.]li
hamlampampom@cock[.]li
kazkavkovkiz@cock[.]li
eeaammzzyy@tuta[.]io
hariliuios@tutanota[.]com
kkeessnnkkaa@cock[.]li
eeeooppaaaxxx@tuta[.]io
hhaaxxhhaaxx@tuta[.]io
kkkwwwsvvv@cock[.]li
knoocknoo@cock[.]li
pabpabtab@tuta[.]io
sevenoneone@cock[.]li
kokbiglock@cock[.]li
repairdb@seznam[.]cz
sevenonone@cock[.]li
kokoklock@cock[.]li
rrrkkktttaaa@cock[.]li

MD5

258ed03a6e4d9012f8102c635a5e3dcd
73de5babf166f28dc81d6c2faa369379
3d6203df53fcaa16d71add5f47bdd060
7a1288c7be386c99fad964dbd068964f
5b80cbbdcb697c0b8ec26e6cf0ff305c
993b73d6490bc5a7e23e02210b317247
27304b246c7d5b4e149124d5f93c5b01
8fbc17d634009cb1ce261b5b3b2f2ecb
59881abed688ceba3d67c2ff22076ad8
6a64553da499c1d9a64d97f4de3882f5

SHA-256

8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
ad8d379a4431cabd079a1c34add903451e11f06652fe28d3f3edb6c469c43893
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d
8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c

SHA1

655352e00c7e478c3fed38bc6f407982dec3768d
a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
6fd314af34409e945504e166eb8cd88127c1070e
e393a9ecf0d0a8babaa5efcc34f10577aff1cad1

Remediation

Block the threat indicators at their respective controls.
Keep all systems, applications and software updated to latest patched versions against all known security vulnerabilities.
Maintain a strong password policy.