Netwalker, the Fileless Ransomware which infects through reflective injection


Fileless Netwalker Ransomware Infects PC/laptops via Reflective Loading of DLL files

As security researchers break encryption codes of ransomware, the cybercriminals get more sophisticated. This cat and mouse game between the security researchers and malware authors has been going on ever since the first malware was spotted. Now it has gotten pretty serious. Trend Micro has discovered new ransomware which is fileless leaving few clues for security researchers and anti-virus companies.

The fileless ransomware is called Netwalker and was analyzed by Trend Micro researchers. They found that Netwalker ransomware infections involve malware that is not compiled, but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. The researchers say that this makes the Netwalker ransomware difficult to detect.

Netwalker works by leveraging a technique called reflective dynamic-link library (DLL) injection, also referred to as reflective DLL loading. The technique allows the injection of a DLL from memory rather than from disk. This technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.

The researchers found that a similar technique was employed by ColdLock ransomware. The researchers discovered the PowerShell script named Ransom.PS1.NETWALKER.B. The script hides under multiple layers of encryption, obfuscation, and encoding techniques. Netwalker’s script injects a ransomware DLL into the memory of the legitimate running process explorer.exe making it difficult to detect.

Once infected, the ransomware begins to encrypt the data on the victim computer and renames the encrypted files using 6 random characters as an extension. It also leaves a ransom note in various folders for the victim asking bitcoins in exchange for the decryption of their files.

Trend Micro recommends the following steps to contain this fileless threat:

  • Secure PowerShell use by taking advantage of its logging capability to monitor suspicious behavior.
  • Use PowerShell commands such as ConstrainedLanguageMode to secure systems from malicious code.
  • Configure system components and disable unused and outdated ones to block possible entry points.
  • Never download and execute files from unfamiliar sources

About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments