LockBit’s new Black variant showed anti-forensic activities which cleared event logs, killed multiple tasks, and deleted services simultaneously. It obtains initial access to the victim’s network via SMB brute forcing from various IPs.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/lockbit3.drawio.png\")
<\/p>\n
Fig. 1 \u2013 Attack Chain<\/strong><\/em><\/p>\n The sys-internal tool PSEXEC is used to execute malicious BAT files on a single system which were later cleaned off. These files indicate activity related to modifying RDP & authentication settings while disabling antivirus at the same time:<\/p>\n PSEXEC is also used to spread laterally across the victim’s network to execute the ransomware payload. The encryption is done using a multi-threaded approach where only shared drives got encrypted. The executed payload must have a valid key passed along with the command-line option ‘-pass.’ The encrypted files are appended with the .zbzdbs59d<\/em> extension, which suggests that the builder generates each payload with a random static string.<\/p>\n The ransomware payload is dropped inside the Windows<\/em> directory, where every variant requires a unique key to be passed as an argument. This feature was previously known to be used by other ransomware groups like BlackCat<\/em> and Egregor<\/em>. Even if the name of the payload is changed from ‘Lock.exe’ to anything else or put in any other directory, it does not run. The pass key used in this case is 60c14e91dc3375e4523be5067ed3b111<\/strong>.<\/p>\n Let us look at a few stages of the payload below:<\/p>\n Fig. 2 \u2013 Pseudo code for decrypting PE Sections<\/em><\/strong><\/p>\n The key passed in the argument is taken from the command line and verified. If it passes verification, this key is further processed to obtain a 1-byte key to decrypt specific sections obtained by traversing the PEB structure. The three sections decrypted in memory are \u2013 TEXT, DATA, and PDATA.<\/p>\n Being packed and having only a few imports, Win32 APIs are resolved by decrypting the obfuscated string with XOR using the key 0x3A013FD5<\/strong>, which is again unique to each payload.<\/p>\n Fig. 3 \u2013 Resolving APIs<\/em><\/strong><\/p>\n When Admin privileges are not present during execution, it uses CMSTPLUA COM<\/strong> to bypass the UAC<\/a> prompt, a legitimate Windows Connection Manager Service. This elevates the rights from the user to the administrator level with another instance of the ransomware payload, terminating the current process.<\/p>\n Fig. 4 \u2013 UAC Bypass using CMSTPLUA<\/em><\/strong><\/p>\n Threads used for file encryption are hidden from the debugger by calling NtSetInformationThread<\/strong> Win32 API via ThreadInformationClass<\/strong> with an undocumented value 0x11<\/strong> that denotes ThreadHideFromDebugger<\/strong>. This hinders dynamic analysis by not allowing debug information from the current ransomware’s thread to reach the attached debugger.<\/p>\n Fig. 5 \u2013 Anti-Debugging technique to hide threads<\/em><\/strong><\/p>\n As part of wiping out its traces, lots of anti-forensic activity is observed where Windows Event Logs are disabled by setting multiple registry subkeys to value 0.<\/p>\n Specifically, Windows Defender is disabled for evasion. An exhaustive list of Events Cleared<\/a>.<\/p>\n Process terminated included SecurityHealthSystray.exe<\/em> and the mutex created during execution was 13fd9a89b0eede26272934728b390e06<\/strong>. Services were enumerated using a pre-defined list and deleted or killed if found on the machine:<\/p>\n A few of the services deleted:<\/p>\n Scheduled tasks are enumerated and deleted, some of which are shown below. An exhaustive list of Tasks Killed<\/a>.<\/p>\n Volume shadow copies are enumerated using a WMI query and then deleted to prevent system restoration<\/p>\n Before encryption, the ransom note is created in every directory except the Program Files<\/em> and the Windows<\/em> directory, which aren\u2019t encrypted. We can see that they have moved the naming convention of ransom notes from \u2018Restore-My-Files.txt<\/em>\u2019 to a static string format \u201czbzdbs59d.README.txt<\/em>\u201d.<\/p>\n Fig. 6 \u2013 Ransom Note<\/em><\/strong><\/p>\n The ransom note contains instructions to install the TOR browser, links for a chat, and the personal ID unique to the victim to communicate with the attackers. It also includes the threat message to leak the stolen data if the ransom amount is not paid and ends with the warnings as usual. Multiple TOR mirrors for their leak site can be seen in the ransom note, which is used to reduce redundancy.<\/p>\n Before starting file encryption, a registry key for DefaultIcon<\/em> is created to associate an icon to all the encrypted files. Along with this ICO file (zbzdbs59d.ico), a BMP file is also dropped in the C:\\ProgramData<\/strong> directory. Files are encrypted by creating multiple threads where each filename is replaced with a random string generated and appending the extension to them. With full encryption completed under 2 minutes it still has the fastest encryption process since LockBit 2.0.<\/p>\n Fig. 7 \u2013 Encrypted Filenames<\/em><\/strong><\/p>\n Finally, the desktop background (different from 2.0 variant) of the victim machine is changed with the systemparametersinfoW<\/em> win32 API, and displays LockBit Black, and instructions to be followed for decryption.<\/p>\n Fig. 8 \u2013 Modified Wallpaper<\/em><\/strong><\/p>\n Unprotected systems in the network were brute-forced to run the PSEXEC tool for lateral movement across the systems. This was done to execute LockBit\u2019s latest Black ransomware variant. With LockBit 3.0 introducing its bug bounty program and adopting new extortion tactics, it is mandatory to take\u00a0precautions like downloading applications only from trusted sources, using antivirus for enhanced protection, and avoiding clicking on any links received through email or social media platforms. As threat actors create their own variants from the leaked LockBit Black\u2019s builder, proactive measures<\/a> must be taken to stay protected.<\/p>\n HEUR:Ransom.Win32.InP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n 3.220.57.224<\/p>\n 72.26.218.86<\/p>\n 71.6.232.6<\/p>\n 172.16.116.149<\/p>\n 78.153.199.241<\/p>\n 72.26.218.86<\/p>\n 5.233.194.222<\/p>\n 27.147.155.27<\/p>\n 192.168.10.54<\/p>\n 87.251.67.65<\/p>\n 71.6.232.6<\/p>\n 64.62.197.182<\/p>\n 43.241.25.6<\/p>\n 31.43.185.9<\/p>\n 194.26.29.113<\/p>\n Jumpsecuritybusiness[.]com<\/p>\n Since the infamous Conti ransomware group disbanded due to source code leaks during the Russia-Ukraine war, the LockBit group has claimed dominance. The group has adopted new extortion techniques and added a first-of-its-kind bug-bounty program, along with many features, to advance their new leak site. Upon investigation and analysis, we have determined that the new […]<\/p>\n","protected":false},"author":100,"featured_media":91046,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910],"tags":[1956,1961],"class_list":["post-91332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-quickheal-ransomware-cybersecurity-hacking-ransomwareprevention-threatintelligence","tag-lockbit-3-0"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91332"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/100"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91332"}],"version-history":[{"count":9,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91332\/revisions"}],"predecessor-version":[{"id":91361,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91332\/revisions\/91361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91046"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Payload Analysis<\/strong><\/h2>\n
Decrypting Sections<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/decrypt_func_2.png\")
<\/p>\nResolving Obfuscated APIs<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/win32api.png\")
<\/p>\nPrivilege Escalation<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/cmlua_1.png\")
<\/p>\nAnti-Debugging Technique<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/ntsetinfothread.png\")
<\/p>\nAnti-Forensic Activity<\/strong><\/h2>\n
\n
Service Deletion and Process Termination<\/strong><\/h2>\n
\n
\n
Tasks Killed<\/strong><\/h2>\n
\n\n
\n IBM*<\/td>\n PrnHtml.exe*<\/td>\n DriveLock.exe*<\/td>\n MacriumService.exe*<\/td>\n<\/tr>\n \n sql*<\/td>\n PAGEANT.EXE*<\/td>\n CodeMeter.exe*<\/td>\n ReflectMonitor.exe*<\/td>\n<\/tr>\n \n vee*<\/td>\n firefox.exe*<\/td>\n DPMClient.exe*<\/td>\n Atenet.Service.exe*<\/td>\n<\/tr>\n \n sage*<\/td>\n ngctw32.exe*<\/td>\n ftpdaemon.exe*<\/td>\n account_server.exe*<\/td>\n<\/tr>\n \n mysql*<\/td>\n omtsreco.exe<\/td>\n mysqld-nt.exe*<\/td>\n policy_manager.exe*<\/td>\n<\/tr>\n \n bes10*<\/td>\n nvwmi64.exe*<\/td>\n sqlwriter.exe*<\/td>\n update_service.exe*<\/td>\n<\/tr>\n \n black*<\/td>\n Tomcat9.exe*<\/td>\n Launchpad.exe*<\/td>\n BmsPonAlarmTL1.exe*<\/td>\n<\/tr>\n \n postg*<\/td>\n msmdsrv.exe*<\/td>\n MsDtsSrvr.exe*<\/td>\n check_mk_agent.exe*<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Shadow Volume Copies Deleted<\/strong><\/h3>\n
\n
Removal of all Active Network Connections<\/strong><\/h3>\n
\n
Registry Activity<\/strong><\/h2>\n
\n\n
\n reg add “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” \/v legalnoticecaption \/t REG_SZ \/d “ATTENTION to representatives!!!! Read before you log on” \/f<\/td>\n<\/tr>\n \n reg add “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” \/v legalnoticetext \/t REG_SZ \/d “Your system has been tested for security and unfortunately your system was vulnerable. We specialize in file encryption and industrial (economic or corporate) espionage. We don’t care about your files or what you do, nothing personal – it’s just business. We recommend contacting us as your confidential files have been stolen and will be sold to interested parties unless you pay to remove them from our clouds and auction, or decrypt your files. Follow the instructions in your system” \/f<\/td>\n<\/tr>\n \n reg add “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f<\/td>\n<\/tr>\n \n reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA \/v RunAsPPL \/t REG_DWORD \/d 0 \/f<\/td>\n<\/tr>\n \n reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Ransom Note<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/ransom_note_1.png\")
<\/p>\nFile Encryption<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/encr.png\")
<\/p>\nChanging Wallpaper<\/strong><\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/02\/wallpaper.png\")
<\/p>\nConclusion<\/strong><\/h2>\n
IOCs<\/strong><\/h4>\n
\n\n
\n MD5<\/b><\/td>\n Protection<\/b><\/td>\n<\/tr>\n \n 7E37F198C71A81AF5384C480520EE36E<\/td>\n Ransom.Lockbit3.S28401281<\/p>\n IPs<\/strong><\/h4>\n
Subject Matter Experts<\/strong><\/h2>\n
\n