Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.
In a company blog post on Monday, Trend Micro threat analyst Karen Victor writes that instead of compiling the malware and storing it into the disk, the adversaries are writing it in PowerShell and executing it directly into memory.
“This technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools,” the Trend Micro blog post explains.
“Ransomware in itself poses a formidable threat for organizations. As a fileless threat, the risk is increased as it can more effectively evade detection and maintain persistence,” the blog post continues. “These types of attacks can affect victims tremendously, and they can be painstakingly difficult to recover from.”
Late last year, SC Media named the explosion of fileless malware usage one of the top trends of 2019. Indeed, in its mid-year security roundup report from 2019, Trend Micro revealed that fileless malware attacks in the first half of the year jumped 265 percent, compared to the first six months of 2018.
Trend Micro reports that the PowerShell script, Ransom.PS1.NETWALKER.B, hides beneath various levels of encryption, obfuscation and encoding in order to evade detection and analysis.
Victor reports that the malware locates the API addresses of the functions it requires from kernell32.dll, the 32-bit dynamic link library found in the Windows operating system, and performs memory address calculations. “In this manner, the script itself acts as the DLL’s own custom loader. This eliminates the need for a traditional windows loader, which usually makes use of the LoadLibrary function.”
“The script itself can compute and resolve its needed memory address and relocations to load the DLL correctly. It then specifies the process it will inject into; in this case it searches for the running Windows Explorer process. Afterwards, it will write and execute the ransomware DLL into the memory space of explorer.exe…” Victor continues.
Like other Netwalker variants, Ransom.PS1.NETWALKER.B encrypts common user files using six random characters as an extension and places a ransom note in various folders demanding payment for restoration of files. The malware also deletes Shadow Volume copies and terminates certain process and services, including those associated with back-up software, data-related applications and security software.
Trend Micro recommends companies take multiple steps to defend themselves from fileless threats of this nature — including leveraging PowerShell’s logging capability to monitor suspicious behavior, using PowerShell commands such as ConstrainedLanguageMode, and, of course, regularly backing up data and applying software patches.