Ransomware utilizes living-off-the-land tools in Windows attacks for stealth and evasion. They can blend in with normal system activities by leveraging legitimate, built-in tools like PowerShell or Windows Management Instrumentation (WMI).
This stealthy move makes it harder for security measures to detect and block their malicious actions. This process improves the effectiveness of ransomware campaigns by exploiting trusted tools already present in the targeted systems.
Cybersecurity researchers at Symantec recently discovered that Alpha ransomware uses living-off-the-land tools to attack Windows computers.
New ransomware Alpha that emerged in Feb 2023 resembles old NetWalker, which vanished in Jan 2021 post-law enforcement action. However, Alpha has intensified attacks lately.
Alpha mirrors the NetWalker code, and both employ a PowerShell loader for payload delivery by featuring actual code that overlaps in their payloads.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
- Outline the main functionality execution flow for both payloads.
- Single thread handles process and service termination.
- Resolved APIs with differing hashes but a similar list.
- Similar configurations include their lists of skipped items, processes, and services.
- Self-deletion via temporary batch file post-encryption.
- Matching payment portals with the “For enter, please use user code” message.
Here below, we have mentioned all the identical list of processes of NetWalker and Alpha to kill:-
Alpha surfaced quietly in February 2023 but now amps up operations by unveiling a data leak site. Recent Alpha attacks showcase heavy use of living-off-the-land tools.
Here below, we have mentioned all the living-off-the-land tools:-
- Taskkill: Windows command-line tool that can end one or more tasks or processes.
- PsExec: Microsoft Sysinternals tool for executing processes on other systems. Attackers primarily use the tool to move laterally on victim networks.
- Net.exe: Microsoft tool that can stop and start the IPv6 protocol.
- Reg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.
NetWalker led the early ransomware wave, which raked in $27.6 million. After a law enforcement break, it seemed gone.
But Alpha’s similarity hints at a revival – either by original developers or new attackers modifying NetWalker’s payload for their ransomware venture.
IoCs
- 46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520 – PowerShell loader
- 6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff777e3e8fe71d57b7d9934e7 – PowerShell loader
- 6e204e39121109dafcb618b33191f8e977a433470a0c43af7f39724395f1343e – PowerShell loader
- 89bfcbf74607ad6d532495de081a1353fc3cf4cd4a00df7b1ba06c10c2de3972 – PowerShell loader
- e43b1e06304f39dfcc5e59cf42f7a17f3818439f435ceba9445c56fe607d59ea – PowerShell loader
- e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499 – Alpha ransomware loader
- e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b – Alpha ransomware loader
- ab317c082c910cfe89214b31a0933eaab6c766158984f7aafb9943aef7ec6cbb – Alpha ransomware loader
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.