Reflective dynamic-link library (DLL) injection has been now discovered being utilised to infect victims with Netwalker ransomware. This is an attempt to of make attacks ‘untraceable’ & thus defeat security.
Bad actors have been observed using a very ‘stealthy’ fileless malware technique, namely reflective dynamic-link library (DLL) injection to infect victims with Netwalker ransomware in hopes of making their attacks untraceable.
Malware
In a blog post on Mon., Trend Micro Threat Analyst Karen Victor comments that instead of ‘compiling’ the malware & storing it into the disk, the attackers are writing it in PowerShell & then executing it directly into memory.
“This technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected.
This eliminates the need for registering the DLL as a loaded module of a process, & allowing evasion from DLL load monitoring tools,” the Trend Micro blog post further explains.
Ransomware
“Ransomware in itself poses a formidable threat for organisations. As a fileless threat, the risk is increased as it can more effectively evade detection & maintain persistence,” the blog went on to say. “These types of attacks can affect victims tremendously, & they can be painstakingly difficult to recover from.”
The huge growth of fileless malware usage was identified as one of the top trends of 2019. In its mid-year 2019 security roundup report, Trend Micro observed that fileless malware attacks in the 1st half of the year increased 265%, when compared to the first 6 months of 2018.
PowerShell
Trend Micro reports also that the PowerShell script, Ransom.PS1.NETWALKER.B, ‘hides’ under various levels of encryption, obfuscation & encoding to, therefore, evade detection & analysis.
Victor reported that the malware locates the API addresses of the functions it requires from kernell32.dll, the 32-bit dynamic link library found in the Windows operating system & does memory address calculations. “In this manner, the script itself acts as the DLL’s own custom loader. This eliminates the need for a traditional windows loader, which usually makes use of the LoadLibrary function.”
explorer.exe
“The script itself can compute & resolve its needed memory address & re-locations to load the DLL correctly. It then states the process it will inject into – in this case it searches for the running Windows Explorer process. Then, it will write & execute the ransomware DLL into the memory space of explorer.exe” Victor went on to say.
As per other Netwalker varieties, Ransom.PS1.NETWALKER.B encrypts ‘common user files’ using six random characters as an extension & places a ransom note in various folders demanding payment for restoration of files.
The malware then also deletes Shadow Volume copies & terminates certain process & services, including those related to back-up software, data-related applications & security software.
Fileless Threats
Trend Micro suggests companies should take a number of steps to defend themselves from fileless threats, incl. utilising PowerShell’s logging capability to monitor suspicious behaviour, using PowerShell commands such as Constrained Language Mode, &, regularly backing up data & applying current software patches.
