Malware and related records show that ransomware administrators needn’t bother with a bleeding edge weapons store to be viable.
A malware apparatus set and related documents that analysts at Sophos as of late unearthed gives uncommon understanding into the strategies and methods some threat actors are utilizing to send ransomware nowadays.
The researchers found the malware while exploring Netwalker, a ransomware family that has been utilized in a few ongoing assaults against enormous associations in different segments of the US, Australia, and Europe.
Their analysis showed the tool set contains a relatively comprehensive set of malware for everything from conducting reconnaissance to sniffing out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools.
The malware includes tools for exploiting specific vulnerabilities in Windows environments and legacy server environments, such as Tomcat and WebLogic.
Interestingly, a substantial proportion of the tools in the Netwalker portfolio were obtained from the public domain and included so-called gray-hat tools such as Mimikatz for password dumping.
Andrew Brandt, principal researcher at Sophos, says the tool set is another reminder why attack tools don’t have to be especially sophisticated to be effective.
“The techniques and tools they are using are not groundbreaking or new, but they remain stubbornly effective as IT teams continue to struggle with controlling what’s running on their networks and what is accessible through the firewall,” Brandt says.
According to Sophos, the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.
The Netwalker tool set also includes one called NLBrute, which the attackers have set up to break into systems with weakly enabled Remote Desktop Services (RDP). Sophos found NLBrute configured to use a specific set of username and passwords to try and break into RDP services.
“The [username and password] lists serve as a good guideline for what not to do when it comes to choosing complex passwords,” Brandt says.
Sophos found that once the attackers gain entry to a network, they use commonly available tools, such as SoftPerfect Network Scanner, to look for and create lists of computers with open SMB ports. They then use products such as Mimikatz, Mimidogz, or Mimikittenz to harvest credentials from these systems.
The set of post-exploitation tools in the Netwalker arsenal includes several for privilege escalation. Among them are exploits for a critical, recently disclosed remote code execution bug in Microsoft’s Server Message Block (SMB v3) technology (CVE-2020-0796), a local privilege escalation vulnerability in Windows (CVE-2019-1458), and a flaw from 2015 dubbed “Russian Doll” (CVE-2015-1701).
For the ransomware deployment itself, the attackers have been using a heavily obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute malware to any machine the domain controllers can reach.
Publicly Available Tools
Interestingly, several of the tools the operators of Netwalker are using to remove Windows endpoint malware detection tools are from legitimate security vendors. Among the tools in this category that Sophos’ researchers discovered are WorryFree Uninstall from Trend Micro, AV Remover from ESET, and Microsoft Security Client Uninstall.
Like the antivirus software removal tools, a majority of the other tools the operators of Netwalker are using in ransomware campaigns are publicly available products. Among them are Mimikatz, Windows Credential Editor, pwdump, SoftPerfect Network Scanner, psexec, Teamviewer, and Anydesk.
Brandt says the tools and tactics attackers are using to deploy Netwalker ransomware might have been considered cutting edge even two years ago, but they are relatively old hat now.
“These attackers are not plowing rough ground here,” he says.
At the same time, it is a mistake to underestimate the damage these attackers can cause or the cost of cleaning up after them.
“These attackers have not slowed down, as we’ve seen evidence of new malware payloads being created even this week,” Brandt says. “So as rudimentary as they are, they must still be somewhat effective.”
For organizations, threats like Netwalker highlight the need for basic security hygiene, he says. Brute-force attacks against RDP or those seeking to exploit the EternalBlue issue in the SMB protocol, for instance, should be relatively easy for organizations to protect against provided they put in the effort to address them, he says.
“I just wonder what it will require for everyone to understand these risks are not insurmountable and agree to take their patch medicine.” Brandt says.
