This type of threat leverages a technique called reflective dynamic link library DLL injection, also called reflective DLL loading. The method allows the injection of a DLL from memory as opposed to from disk. This method is stealthier than standard DLL injection as a result of apart from not needing the real DLL file on disk, it also does not need any windows loader for it to be injected. This removes the desire for registering the DLL as a loaded module of a system, and enabling evasion from DLL load monitoring tools.
Recently, we’ve witnessed threat actors using this method to deploy ColdLock ransomware. Now, we’ve seen an analogous attack using a filelessly performed Netwalker ransomware. The payload begins with a PowerShell script detected as Ransom. PS1. NETWALKER. B.
It seems that attackers are actually adding Reflective DLL injection into their ransomware arsenal in an try to make their attacks untraceable and more difficult to check by safety analysts. Ransomware in itself poses a formidable threat for agencies. As a fileless threat, the chance is increased as it can more easily evade detection and maintain endurance. Blended threats similar to this make use of multiple concepts, making it essential for agencies to use lots of layers of safety technologies to easily offer protection to their endpoints, reminiscent of security answers that employ conduct monitoring and behaviour based detections.