Researchers at Trend Micro have observed samples of the Netwalker ransomware that are not compiled but written in PowerShell and executed directly in memory without storing the ransomware binary onto the disk. Known as “fileless” malware, this technique allows the ransomware to evade detections and use tools already installed on the machines to launch attacks. Fileless malware also utilizes reflective Dynamic-Link Library (DLL) injection. This allows a DLL to be injected into targeted processes from memory instead of a disk and is stealthier than normal DLL injection because it does not use the normal Windows loader as most DLLs do. This avoids the need for registering the DLL as a loaded module and allows the malware to evade DLL load monitoring tools. The PowerShell script that is used hides under various layers of encryption, obfuscation and encoding to also evade static detection techniques.
Analyst Notes
So-called “fileless” malware techniques have been used by different malware families to go undetected by most static anti-virus solutions, but this should not deter defenders from following best practices. Even “fileless” malware still relies on some files to run—it simply hides all of the malicious content so that automated solutions such as scanning of files with anti-virus will not detect it. Utilizing an Endpoint Detection and Response tool with skilled security analysts on internal staff or a managed security service can help with quick recognition of a threat through behavior analysis and detection of unusual uses of built-in tools, even if the threat is not recognized by any anti-virus solution. The sooner an attack is found and contained, the less damage it will cause. Backing up data regularly can also help reduce the amount of data lost if a ransomware infection were to happen.
The full report from Trend micro can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/