By Karen Victor
Threat actors are continuously creating more sophisticated ways for malware to evade defenses. We have observed Netwalker ransomware attacks that involve malware that is not compiled, but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks.
This type of threat leverages a technique called reflective dynamic-link library (DLL) injection, also referred to as reflective DLL loading. The technique allows the injection of a DLL from memory rather than from disk. This technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.
Recently, we have witnessed threat actors using this technique to deploy ColdLock ransomware. Now, we have seen the same attack using a filelessly executed Netwalker ransomware. The payload begins with a PowerShell script detected as Ransom.PS1.NETWALKER.B.
Analysis of the PowerShell Script
Figure 1. Overview of the PowerShell script’s behavior
The script hides under multiple layers of ..
Support the originator by clicking the read the rest link below.
