Views:

Capabilities

Initial Access

  • The threat actors behind NEFILIM hires a variety of affiliates for their initial access, They offer a 70-30 share for every affiliate. Most affiliate uses compromised RDP to access a network while some are exploiting some known Vulnerability.

Discovery

  • From what was observed or reported:
    • Exploit Cirtrix Vulnerability (CVE-2019-19781)
    • Valid Accounts, Insecure RDP and Brute-forced RDP leads to RDP, then dropping and executing of other components like the Anti-AV and Exfiltration tools and then finally Nefilim.

Lateral Movement, Discovery and Defense Evasion

  • The attackers make use PSExec or WMI for lateral movement, dropping and execution of other components and the ransomware itself. It was observed to use a batch file terminating certain processes and services as well as 3rd party tools like PCHunter, ProcessHacker and RevoUninstaller. It also uses AdFind, BloodHound or SMBTool to identify the Active directories and/or machines connected to the domain.

Credential Access

  • 3rd party tools were observed to be used to gather credentials like Mimikatz, Lazagne, and Nirsoft’s net pass viewer (NetPass).

Exfiltration

  • One attack was observed to use MegaSync to exfiltrate stolen files archived using 7zip

Impact

  • The ransomware payload itself has not change much since, after execution it proceed with its encryption routine

Infection Routine

Current infection flow based on available data and research regarding other variants/incidents related to Nefilim:

Module state

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date / Last Update
Ransom.Win32.NEFILIM.A15.740.01March 12, 2020
Ransom.Win32.NEFILIM.C15.751.00March 18, 2020
Ransom.Win32.NEFILIM.AC16.480.00January 16, 2021
Ransom.Win32.NEFILIM.D15.753.00March 19, 2020
Ransom.Win32.NEFILIM.L16.250.00September 26, 2020
Ransom.Win32.NEFILIM.G15.847.00May 4, 2020
Ransom.Win32.NEFILIM.E15.852.00April 22, 2020
Ransom.Win32.NEFILIM.A15.739.00March 12, 2020

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.Win32.TRX.XXPE50FFF034In-the-Cloud
Ransom.Win32.TRX.XXPE50FFF039E0002In-the-Cloud
Troj.Win32.TRX.XXPE50FFF035In-the-Cloud
Troj.Win32.TRX.XXPE50FFF041In-the-Cloud

Behavior Monitoring

Pattern Branch/VersionRelease Date
Malware Behavior Blocking2020
Unauthorized Encryption and Modification2020

Solution Map - What should customers do?

Trend Micro SolutionMAJOR PRODUCTSLATEST VERSIONSVIRUS PATTERNANTISPAM PATTERNNETWORK PATTERNBEHAVIOR MONITORINGPREDICTIVE MACHINE LEARNINGWEB REPUTATION
Endpoint SecurityApex One2019Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)Not Applicable
Worry-Free Business SecurityStandard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Email and Gateway SecurityDeep Discovery Email Inspector3.5Update pattern via web consoleUpdate pattern via web consoleUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Nefilim Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.

Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.

You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.

For support assistance, please contact Trend Micro Technical Support.

Threat Report

Keywords: Nefilim solution, Nefilim issue, Nefilim problem, protect from Nefilim , clean Nefilim , Nefilim infection, infected by Nefilim