Netwalker Leverages Tools To Boost Its Stealthiness And Persistence
The actors behind Netwalker have embraced sophisticated techniques to increase stealth and complicate causal analysis such as process hollowing, in which the malware injects itself into a legitimate process such as explorer.exe and removes the original executable, according to SentinelOne. At this point, SentinelOne said the infection is effectively hiding in the space of a legitimate process.
To maintain the persistency of the malicious file on the user’s host, Cynet said the payload deletes the original executable from its location and creates a registry key that will execute the file every time the host starts up. A dive into the payload memory strings to locate any signs related to the ransomware note indicates that strings are obfuscated and encoded with -BASE64, according to Cynet.
To erase all the backup copies in the host, Cynet said an instance of “vssadmin.exe” is running silently in order to erase the volume shadow copies and prevent backup copies from recovering. Each Netwalker configuration file contains a list of processes to discover and file to not interfere with data collection or file encryption, listing both services and processes to kill prior to the malware’s main tasks.