LTS Secure Warning: Netwalker Ransomware Becomes Fileless In Order to Be More Stealthy

Researchers have recently identified, Netwalker Ransomware being used in attacks. The unique thing about the attack is the fact that the malware is not complied, rather it is written in PowerShell & gets executed straight in memory without storing the malware on the disk.

Technical Details

The PowerShell script “Ransom.PS1.NETWALKER.B”, has been hidden beneath various levels of:-

• Encryption
• Obfuscation
• Encoding

assisting it evade detection & analysis.

The malware has the capability to locate the required API address from the kernell32.dll, and can perform memory address calculations. The script can also compute & resolve the required memory address & relocations, in order to ensure the proper loading of the DLL.

It then goes ahead to define the process, it is going to inject into, which is mostly the Windows Explorer process. And finally, it writes & executes the malicious DLL in the explorer.exe memory space.

Impact

• Loss of Productivity.
• Operational and financial loss to the Business or an individual.
• Temporary or Permanent loss of Sensitive/Confidential data.

Recommended Actions

• Take system back-ups on regular intervals.
• Avoid Opening emails & attachments from unknown senders.
• Ensure that your devices are always up-to-date with the latest patches released.
• Use Powershell logging capabilities to monitor for suspicious behaviour.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.