A malware tool set and related files that researchers at Sophos recently stumbled on provides rare insight into the tactics and techniques some threat actors are using to deploy ransomware these days.

The researchers discovered the malware while investigating Netwalker, a ransomware family that has been used in several recent attacks against large organizations in multiple sectors in the US, Australia, and Europe.

Their analysis showed the tool set contains a relatively comprehensive set of malware for everything from conducting reconnaissance to sniffing out valuable information, privilege escalation, credential theft, brute-forcing passwords, and evading intrusion detection tools.

The malware includes tools for exploiting specific vulnerabilities in Windows environments and legacy server environments, such as Tomcat and WebLogic.

Interestingly, a substantial proportion of the tools in the Netwalker portfolio were obtained from the public domain and included so-called gray-hat tools such as Mimikatz for password dumping.

Andrew Brandt, principal researcher at Sophos, says the tool set is another reminder why attack tools don't have to be especially sophisticated to be effective.

"The techniques and tools they are using are not groundbreaking or new, but they remain stubbornly effective as IT teams continue to struggle with controlling what's running on their networks and what is accessible through the firewall," Brandt says.

According to Sophos, the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.

The Netwalker tool set also includes one called NLBrute, which the attackers have set up to break into systems with weakly enabled Remote Desktop Services (RDP). Sophos found NLBrute configured to use a specific set of username and passwords to try and break into RDP services.

"The [username and password] lists serve as a good guideline for what not to do when it comes to choosing complex passwords," Brandt says.

Sophos found that once the attackers gain entry to a network, they use commonly available tools, such as SoftPerfect Network Scanner, to look for and create lists of computers with open SMB ports. They then use products such as Mimikatz, Mimidogz, or Mimikittenz to harvest credentials from these systems.

The set of post-exploitation tools in the Netwalker arsenal includes several for privilege escalation. Among them are exploits for a critical, recently disclosed remote code execution bug in Microsoft's Server Message Block (SMB v3) technology (CVE-2020-0796), a local privilege escalation vulnerability in Windows (CVE-2019-1458), and a flaw from 2015 dubbed "Russian Doll" (CVE-2015-1701).

For the ransomware deployment itself, the attackers have been using a heavily obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute malware to any machine the domain controllers can reach.

Publicly Available Tools
Interestingly, several of the tools the operators of Netwalker are using to remove Windows endpoint malware detection tools are from legitimate security vendors. Among the tools in this category that Sophos' researchers discovered are WorryFree Uninstall from Trend Micro, AV Remover from ESET, and Microsoft Security Client Uninstall.

Like the antivirus software removal tools, a majority of the other tools the operators of Netwalker are using in ransomware campaigns are publicly available products. Among them are Mimikatz, Windows Credential Editor, pwdump, SoftPerfect Network Scanner, psexec, Teamviewer, and Anydesk.

Brandt says the tools and tactics attackers are using to deploy Netwalker ransomware might have been considered cutting edge even two years ago, but they are relatively old hat now. 

"These attackers are not plowing rough ground here," he says.

At the same time, it is a mistake to underestimate the damage these attackers can cause or the cost of cleaning up after them.

"These attackers have not slowed down, as we've seen evidence of new malware payloads being created even this week," Brandt says. "So as rudimentary as they are, they must still be somewhat effective."

For organizations, threats like Netwalker highlight the need for basic security hygiene, he says. Brute-force attacks against RDP or those seeking to exploit the EternalBlue issue in the SMB protocol, for instance, should be relatively easy for organizations to protect against provided they put in the effort to address them, he says.

"I just wonder what it will require for everyone to understand these risks are not insurmountable and agree to take their patch medicine." Brandt says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register.