Netwalker

Netwalker is a Ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.

Type
Ransomware
Origin
Unknown
First seen
1 August, 2019
Last seen
13 January, 2021
Also known as
Mailto
Global rank
42
Week rank
21
Month rank
23
IOCs
36

What is Netwalker Ransomware?

Netwalker, also called Mailto is a Ransomware — a malware that encrypts files on infected devices and uses lost information as leverage to make the victim pay a ransom in exchange for the lost access to their data.

Although Netwalker is relatively novel, having been discovered in August 2019, it has already been featured in successful attacks against multiple companies. And amidst the Coronavirus pandemic, it started using the virus-related emails to play on natural fears and potentially infiltrate more networks.

General description of Netwalker Ransomware

Netwalker usually targets businesses and corporate victims, infiltrating a corporate network and spreading to all connected Windows PCs. One of the first campaigns where this ransomware was seen included an attack on an Australian company Toll Group, which temporarily paralyzed over 1000 endpoints in February 2019.

Since then the malware has continued to stay active but changed the distribution method to take advantage of the chaos caused by the COVID 19 pandemic, heavily utilizing phishing techniques. In addition, Netwalker started targeting medical and healthcare institutions, since they are potentially the most vulnerable due to the pandemic.

Netwalker Ransomware is considered highly dangerous since it incorporates advanced anti-detection and persistence mechanisms. What’s more, successful attacks in the past prompted the FBI and the U.S Department of Homeland Security to issue warnings about this malware.

Netwalker indeed has several advanced features. For example, experts report that this malware utilizes process hollowing, a technique that allows the attackers to execute the malware while masing it with a legitimate process, “explorer.exe” in the case of Netwalker. Thus, the malware cannot be detected simply by looking at the list of processes, since it does not trigger the occurrence of any suspicious processes.

The malware also may copies itself into “AppData” subfolders and uses a registry key to automatically launch itself and survive system reboots, achieving persistence in the infected system.

Additionally, Netwalker features code obfuscation to complicate the static analysis of the samples. The malware encodes all strings in its source code to prevent the analysts from easily reading its code.

It should also be noted that after encrypting the targeted files, depending on the version the malware can append the string “mailto” to filenames. This is how the first known name of this Ransomware was created. The name was later changed, after researchers analyzed a discovered decryptor, and found out that the original creator likely called the software “Netwalker”.

Malware analysis of Netwalker Ransomware

The ANY.RUN malware hunting service features a video that displays the complete execution process of Netwalker.

netwalker_ransomware_execution_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

netwalker_ransom_note

Figure 2: Netwalker ransom note

Netwalker Ransomware execution process

In general, the execution process of Netwalker is not much different from other ransomware. At first, Netwalker was distributed as an executable file, but then it soon started utilizing script files such as VBS and Powershell. After the ransomware makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Netwalker deletes shadow copies. After the encryption process ends, this ransomware often stops its process and deletes itself. Like other malware of this type, it creates a text file with a ransom note and drops in every directory that contains encrypted files. The ransom note file opens on the desktop after the encryption process is ended. Also, Netwalker uses the process hollowing technique to inject the payload into ‘explorer.exe’.

netwalker_versions_process_tree_comparison

Figure 3: Netwalker versions process tree comparison: first is executable file, second is VBS script, and third is Powershell script

Distribution of Netwalker Ransomware

The malware uses multiple attack vectors to infiltrate the networks of its targets. It can utilize mail spam, web-injects, botnets, exploits, fake software updates, infected installers, and hacks that utilize insecure RDP configurations.

For example, it has been seen masquerading as a real software product “Sticky Password”. “Sticky Password” is a password management application developed by AVG Technologies — a very well known player in the cybersecurity industry.

Another attack vector is using VBS scripts distributed via Coronavirus-themed spam email campaigns.

How to detect Netwalker Ransomware using ANY.RUN?

Netwalker ransomware can be detected by several different activities — such as by finding the keys that it adds into the registry or by certain files that it creates. However, the most reliable way is finding the Netwalker ransom note — not only does it have similarities with notes from other tasks, but after getting an update, this malware started adding self-defining strings: "Your files are encrypted by Netwalker".

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as "{encrypted files extension}-Readme.txt". To take a look inside this file just click on it.

If you find the line above, then be sure that the sample you are dealing with is Netwalker ransomware.

how_to_detect_netwalker_ransomware

Figure 4: How to detect Netwalker ransomware using ANY.RUN

Conclusion

Thanks to the use of advanced persistence and anti-evasion mechanisms, Netwalker is a serious threat to the cybersecurity of organizations. This malware is one of those malicious programs that quickly started utilizing the Coronavirus pandemic for its benefit, which may point to the adaptability of the cyber-gang behind it. Thus, we can be quite certain that Netwalker attacks will continue to happen going forward.

What’s more, usually building a cyber defense against malware that uses code obfuscation is not the easiest task, since the only way to learn about the malicious program is though dynamic analysis, which demands significant time and resources.

ANY.RUN malware hunting service enables researchers to perform dynamic analysis in an interactive and safe online environment with our user-friendly tools and help learn as much as possible about this and other similar Ransomware threats.

IOCs

IP addresses

No IP adresses found

Hashes
9e1be89fb93052c8431aeb611d9807ca3f5825b744f1f574d3686bac535f1a6b
a8acb1c392781a17316c8c46c803b70809bc9f7a290de86a568614c5031edd0c
2432bf929068f204eea45098f41a5d0e12ffb040130a46ef66bcef49c25cbf0b
a6fdbcacfebfcb8bad7c2d0e4b3ae223b756b2991e07578e33db34eb06eab3e5
ef3c53a9fa631dc0b6f96591590aa5c2150ba95a41b12fff3f0e50c0d0da6870
d6a73a29eef440065345adbd39891779a987f65736793fa1fde06e277b0816fd
3ba905e1cda7307163d4c8fe3fd03c2fbce7eda030522084e33d0604c204630e
fdfe9446939ccaa83a0bdc876b12d3d4a6d990438a6c3f456e8ee6d61ff5be10
03cae9e76e71f0f705cf844bd9cf280d11f7474d28dc1ed3587e9840729252fb
78b1288f718477d6f83440aebda0ed8d8549eebf9f5f9af3225a0f3e5171924a
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9
32311454825b52a863568a8e3fd36188273e6452d5a367421edae281a234c69d
8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
4c98565b4bc0f7a80b0449143a23b035a1cab1e5bf24950d15ab6185ff1ccb66
16d44de91cbda414ab0bb2ddfa86605d6240271e17f3100b34c164558e5225fc
3bc348474af19456956404109e1acd28b908614e7b127adb7fe71578826cfc99
f45d042bf8eb64c067bc9dbef9dfc845ee8552ada4d5bea75d4ba7798cd02efd
5d869c0e077596bf0834f08dce062af1477bf09c8f6aa0a45d6a080478e45512
b3e649a6ba9f6078fd0cd9844f150d0ae58065094e683a5b5f7a6d171a73921b
4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More