It is scary to know that threat actors now are smartly making use of sneaky fileless malware techniques like the reflective Dynamic-Link Library (DLL) injection. Not just this, but these  cybercriminals are adding to the situation by attacking systems with Netwalker ransomware with high hopes of making the attack untraceable while giving a tough time to security analysts.

Karen Victor, a threat analyst at Trend Micro, explains that instead of collecting and storing the malware into the disk, threat actors are writing it in PowerShell and getting it into action directly through memory.

Why is it worrisome?

As per Karen Victor’s blog post, the new style of attack seems to be even stealthier compared to the regular DLL injection as it is not dependent on any windows loader for it to get in the system. This eliminates the requirement of registering the DLL as a loaded module of a process and enables evasion from DLL load monitoring tools.

As ransomware in itself is a difficult threat for businesses, tackling the fileless enemy gets even more worse as it can easily escape detection and be stable. Additionally, the article by Karen Victor mentions that the aftereffects of these attacks can be devastating and thoroughly challenging to recover from.

Not just this, but last year the explosion of fileless malware was trending, and it managed to grow 265% percent compared to the first six months of 2018.

More about Netwalker ransomware

As per Trend Micro, the PowerShell script, Ransom.PS1.NETWALKER., is capable of hiding under several levels of encryption, obfuscation, and encoding to escape detection and analysis.

Additionally, Karen Victory mentions that the malware detects API addresses of the functions that are necessary from kernell32.dll, the 32-bit dynamic link library that is available in the Windows operating system and carries out memory address calculations. With the use of this method, the script acts like the DLL’s own customer loader and eliminates the need for a traditional windows downloader.

Just like various other Netwalker ransomware variants, Ransom.PS1.NETWALKER.B has the ability to encrypt common user files with the help of six random characters used as an extension and places a ransomware note in various folders demanding money for the restoration of files.

The malware is also involved in deleting Shadow Volume copies and end certain processes and services along with the ones associated with data-related apps, backup software, and security software.

Recommendations

Trend Micro suggests businesses take multiple steps to protect themselves and the company’s interest from fileless ransomware. It also recommends companies to regularly backup data and maintain consistency in applying software patches.