What is NetWalker Ransomware?
• NetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware went by the name of Mail to but rebranded to NetWalker towards the end of 2019.
•The NetWalker ransomware is a fast-growing ransomware, created by the cybercrime group known as ‘Circus Spider’ in 2019. Circus Spider is one of the newer members of the ‘Mummy Spider’ cybercriminal group.
Exploitation:(how its work?)
• We saw multiple RDP logins around the time of the attack but we believe 198.181.163[.]103 (possibly IPVanish VPN) to be the source of this intrusion. We will include other IPs that logged into the honeypot on this day in the IOCs section.
• The threat actor login using DomainName\Administrator account.
What is Command & Control ?
• c37.ps1 was dropped and run about 16 minutes after initial login. There didn’t appear to be any network connections made while running this script which makes us wonder if the script works or not.
•The script is heavily obfuscated but still looks like Cobalt Strike. When we uploaded the script to VT, Thor said it may also contain Windshield or SplinterRAT.
• c37.ps1 has a very low detection rate even after 7+ days.
• Minutes later they ran c37.exe, which copies itself to a temp directory and then stops. This binary includes Neshta as well as many capabilities as seen below:
- If We attempted to run c37.ps1 and c37.exe in a few sandboxes and none of them captured the network traffic which tells us that these Beacons include sandbox evasion techniques.
•The c37.exe binary includes shared code from Neshta, poison, BazarBackdoor, XMRig and a large portion from CobaltStrike according to Intezer.
Exploitation:(HOW ITS HAPPEND?):
- AdFind Recon:
- Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure. This tool proceeded dsquery/dsget/etc by years though I did adopt some of the useful stuff from those tools.
- A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands.
• The threat actor then ran a batch file which ran AdFind commands and output them to txt files.
- We can see from these lnk files that they opened a few of the txt files output by AdFind. We can also see that domains.txt and ips.log were opened minutes after AdFind being run.
- A few minutes after AdFind was run, a command prompt was opened and the following commands were either copy and pasted slowly or manually typed.
- Shortly after that, a script named pcr.bat was dropped and executed.
- This script pings a list of hostnames (domains.txt) and writes the output to ips.log. The ping command they use sends one ping and forces IPv4. This domains.txt file most likely came from the above AdFind command using the domainlist parameter.
- Credential Access:
- Mimikatz was dropped and then a minute later procdump64.exe was dropped. The threat actors then used Procdump to dump lsass using the following command:
• This procdump64 binary appears to be compiled with Delphi and does not match known hashes. It appears the threat actors rolled their own but included the original instructions.
• Mimikatz was run about a minute later.
Lateral Movement:
- The threat actor RDPed into a Domain Controller (DC) after dumping credentials. Shortly after accessing the DC they dropped ip.list.txt, P100119.ps1, and PsExec.
Objectives:
- The threat actor used PsExec to mount a share on all systems as the Domain Administrator and then execute the ransomware payload using PowerShell. NetWalker was delivered to all online Domain joined systems in the honeypot via the below command:
- C:\psexec.exe @ip-list.txt -d cmd /c “(net use q: /delete /y &; net use q: \\DomainController\DomainName /user:DomainName\administrator ThisWasThePassword &; powershell -ExecutionPolicy ByPass -NoLogo -NoProfile -windowstyle hidden -NoExit -File q:\P100119.ps1”
- After the PowerShell script runs you are left with the following ransom note:
• The NetWalker operators asked for $50k within 7 days or $100k after. They were talked down to $35k after the time expired.
Timeline:
