Netwalker

Netwalker is a Ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.

Type
Ransomware
Origin
Unknown
First seen
1 August, 2019
Last seen
19 October, 2020
Also known as
Mailto
Global rank
41
Week rank
22
Month rank
30
IOCs
25

What is Netwalker Ransomware?

Netwalker, also called Mailto is a Ransomware — a malware that encrypts files on infected devices and uses lost information as leverage to make the victim pay a ransom in exchange for the lost access to their data.

Although Netwalker is relatively novel, having been discovered in August 2019, it has already been featured in successful attacks against multiple companies. And amidst the Coronavirus pandemic, it started using the virus-related emails to play on natural fears and potentially infiltrate more networks.

General description of Netwalker Ransomware

Netwalker usually targets businesses and corporate victims, infiltrating a corporate network and spreading to all connected Windows PCs. One of the first campaigns where this ransomware was seen included an attack on an Australian company Toll Group, which temporarily paralyzed over 1000 endpoints in February 2019.

Since then the malware has continued to stay active but changed the distribution method to take advantage of the chaos caused by the COVID 19 pandemic, heavily utilizing phishing techniques. In addition, Netwalker started targeting medical and healthcare institutions, since they are potentially the most vulnerable due to the pandemic.

Netwalker Ransomware is considered highly dangerous since it incorporates advanced anti-detection and persistence mechanisms. What’s more, successful attacks in the past prompted the FBI and the U.S Department of Homeland Security to issue warnings about this malware.

Netwalker indeed has several advanced features. For example, experts report that this malware utilizes process hollowing, a technique that allows the attackers to execute the malware while masing it with a legitimate process, “explorer.exe” in the case of Netwalker. Thus, the malware cannot be detected simply by looking at the list of processes, since it does not trigger the occurrence of any suspicious processes.

The malware also may copies itself into “AppData” subfolders and uses a registry key to automatically launch itself and survive system reboots, achieving persistence in the infected system.

Additionally, Netwalker features code obfuscation to complicate the static analysis of the samples. The malware encodes all strings in its source code to prevent the analysts from easily reading its code.

It should also be noted that after encrypting the targeted files, depending on the version the malware can append the string “mailto” to filenames. This is how the first known name of this Ransomware was created. The name was later changed, after researchers analyzed a discovered decryptor, and found out that the original creator likely called the software “Netwalker”.

Malware analysis of Netwalker Ransomware

The ANY.RUN malware hunting service features a video that displays the complete execution process of Netwalker.

netwalker_ransomware_execution_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

netwalker_ransom_note

Figure 2: Netwalker ransom note

Netwalker Ransomware execution process

In general, the execution process of Netwalker is not much different from other ransomware. At first, Netwalker was distributed as an executable file, but then it soon started utilizing script files such as VBS and Powershell. After the ransomware makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Netwalker deletes shadow copies. After the encryption process ends, this ransomware often stops its process and deletes itself. Like other malware of this type, it creates a text file with a ransom note and drops in every directory that contains encrypted files. The ransom note file opens on the desktop after the encryption process is ended. Also, Netwalker uses the process hollowing technique to inject the payload into ‘explorer.exe’.

netwalker_versions_process_tree_comparison

Figure 3: Netwalker versions process tree comparison: first is executable file, second is VBS script, and third is Powershell script

Distribution of Netwalker Ransomware

The malware uses multiple attack vectors to infiltrate the networks of its targets. It can utilize mail spam, web-injects, botnets, exploits, fake software updates, infected installers, and hacks that utilize insecure RDP configurations.

For example, it has been seen masquerading as a real software product “Sticky Password”. “Sticky Password” is a password management application developed by AVG Technologies — a very well known player in the cybersecurity industry.

Another attack vector is using VBS scripts distributed via Coronavirus-themed spam email campaigns.

How to detect Netwalker Ransomware using ANY.RUN?

Netwalker ransomware can be detected by several different activities — such as by finding the keys that it adds into the registry or by certain files that it creates. However, the most reliable way is finding the Netwalker ransom note — not only does it have similarities with notes from other tasks, but after getting an update, this malware started adding self-defining strings: "Your files are encrypted by Netwalker".

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as "{encrypted files extension}-Readme.txt". To take a look inside this file just click on it.

If you find the line above, then be sure that the sample you are dealing with is Netwalker ransomware.

how_to_detect_netwalker_ransomware

Figure 4: How to detect Netwalker ransomware using ANY.RUN

Conclusion

Thanks to the use of advanced persistence and anti-evasion mechanisms, Netwalker is a serious threat to the cybersecurity of organizations. This malware is one of those malicious programs that quickly started utilizing the Coronavirus pandemic for its benefit, which may point to the adaptability of the cyber-gang behind it. Thus, we can be quite certain that Netwalker attacks will continue to happen going forward.

What’s more, usually building a cyber defense against malware that uses code obfuscation is not the easiest task, since the only way to learn about the malicious program is though dynamic analysis, which demands significant time and resources.

ANY.RUN malware hunting service enables researchers to perform dynamic analysis in an interactive and safe online environment with our user-friendly tools and help learn as much as possible about this and other similar Ransomware threats.

IOCs

IP addresses

No IP adresses found

Hashes
4c98565b4bc0f7a80b0449143a23b035a1cab1e5bf24950d15ab6185ff1ccb66
3bc348474af19456956404109e1acd28b908614e7b127adb7fe71578826cfc99
16d44de91cbda414ab0bb2ddfa86605d6240271e17f3100b34c164558e5225fc
b3e649a6ba9f6078fd0cd9844f150d0ae58065094e683a5b5f7a6d171a73921b
4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60
57cf4470348e3b5da0fa3152be84a81a5e2ce5d794976387be290f528fa419fd
3708b8745487dab9d848e4583fa127a761f338ba77cc8ea20f8c2aa399c3d7d2
ee28b32d1414368925cb9deea64c48af576718c38cb5bacf939b4fc9dbea5bad
6d85f0c090909e9fe520cae86e0f295c1f67309f37d97eda2e4d93eb01251ea4
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9
f45d042bf8eb64c067bc9dbef9dfc845ee8552ada4d5bea75d4ba7798cd02efd
5d869c0e077596bf0834f08dce062af1477bf09c8f6aa0a45d6a080478e45512
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5
4952e354ceccdaa13f6e7c14e287eca13433906a00e7c4dffd96c940327f74f0
9c6d7dbe229d4257bc12df969637e773472892d80129416239d7a11edc7c7e82
74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614
02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77
f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8b
c677014c312b87da89362fbd16f7abf7ba5546220000bfdaa0f77bba1edf5144
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More