Shulou(Shulou.com)05/31 Report--

How to carry out Netwalker undocumented blackmail software analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Attackers are constantly studying more complex ways to evade malware detection, and recently found that attackers use PowerShell to write Netwalker ransomware, which is executed directly in memory, without storing the actual ransomware binaries to disk. Malware takes advantage of reflective dynamic link library (DLL) injection, also known as reflective DLL loading, which can be injected into DLL from memory without the need for an actual DLL file or any Windows loader.

PowerShell analysis

The behavior of the powershell script is shown below:

The script uses multiple layers of encryption, obfuscation, and coding techniques, with base64 coding at the top:

Base64 decoding displays the next layer of code, which is hexadecimal encoded XOR encryption:

After decoding and decrypting, the main script is displayed, which is still confusing and difficult for analysts to understand:

The file injects the ransomware DLL into the legitimate process explorer.exe in a reflective manner, and the ransomware is embedded in the script in hexadecimal format.

The script decodes it to produce two DLL, one is the x86 version of the blackmail software (for 32-bit OS) and the other is the x64 version (for 64-bit OS). It detects the running environment so that you can determine which version of DLL to use:

It first finds the API address of the desired function from kernell32.dll:

Then calculate the memory address:

The script itself acts as a DLL loader and can calculate and parse and locate the memory address it needs. Then specify the process to be injected and search for the Windows Explorer process that is running.

Write the blackmail software DLL to the memory space of explorer.exe and execute it with the following code:

Finally, delete the copy to prevent the victim from using the copy to restore the file.

Analysis of undocumented blackmail software

Netwalker uses 6 random characters as extensions to rename encrypted files:

It puts the extortion information in various folders of the system and opens it after encrypting the victim data document, which reads:

Add the following registry key:

HKEY_CURRENT_USER\ SOFTWARE\ {8 random characters} {8 random characters} = {Hex values}

Ransomware terminates certain processes and services, some of which are related to software data backup. Here are some examples of services terminated by blackmail software (see this report for a list of all services):

* backup* * sql* AcronisAgent ARSM server Administrator ShadowProtectSvc wbengine* sql* excel.exe ntrtscan.exe powerpnt.exe wbengine* winword.exe wrsa.exe

The blackmail software will also stop the process related to the security software and evade the detection and defense of the security software against its malicious activities.

Netwalker encrypts files mainly for common user files, such as Office documents, PDF, images, video, audio and text files. It usually avoids encrypting critical files, executables, dynamic link libraries, registries or other system-related files to prevent complete system failure.

Summary and suggestion

Attackers are now adding reflective DLL injection to the ransomware, making the attack difficult for security analysts to analyze and track. The blackmail software itself does great harm to the organization, and after it becomes a file-free attack, its risk increases again. Organizations must use a variety of security technologies to protect their endpoints, such as behavior monitoring and behavior-based detection security solutions.

Here are some suggestions to avoid being attacked by blackmail software:

Back up key data regularly to reduce the impact of blackmail software attacks

Install the latest software patches from operating systems and third-party vendors

Comply with good email and website security practices

Timely discovery of suspicious warning emails and documents

Implement application whitelist on endpoints to block all unknown and unneeded applications

Organize employees to conduct safety training on a regular basis.

IOCs

After reading the above, have you mastered how to analyze the Netwalker undocumented blackmail software? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.