Analysis
On 28th July 2022, security researchers of SentinelOne found the Lockbit 3.0 ransomware abuses legitimate Microsoft defender utility to side-load weaponized DLL file which loads and decrypts the encrypted cobalt strike payload.
The Lockbit ransomware 3.0 was in wild since first-quarter of 2022, which is mostly targeting Banking, Financial Services, and Insurance sectors based on the analysis by Cyble researchers. As per an investigation by security researchers from Cyble, the ransomware encryption and decryption of the strings and code takes place during runtime, then it creates mutex to ensure that only one instance of malware is running on the victim's system, then the ransomware creates multiple threads to perform several tasks in parallel to encrypt the files faster, before encrypting the files, the ransomware deletes a few services to encrypt the file, then it drops two files named “HLjkNskOq.ico” and “HLjkNskOq.bmp” and finally the ransomware changes the extension of files as “HLjkNskOq”, it then also leaves a note and changes the wallpaper.
Prevention
- Take regular backups of the server, end devices, and other storage devices to reduce the impact of any kind of ransomware attack.
- Educate employees to download applications from a legitimate site and create awareness about phishing.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Detection
Create rules based on known indicators of the ransomware in the SIEM
(Security incident event management) tool for the detection of ransomware.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Defense Evasion |
T1112 T1497 |
Modify Registry Virtualization/Sandbox Evasion |
| Discovery |
T1082 T1083 |
System Information Discovery File and Directory Discovery |
| Impact | T1486 | Data Encrypted for Impact |
| CNC | T1071 | Application Layer Protocol |
| Defense Evasion | T1070 | Indicator Removal on Host |
Indicators of Compromise (IOCs)
| Indicators | Description |
| a512215a000d1b21f92dbef5d8d57a420197d262 | Malicious glib-2.0.dll |
| 729eb505c36c08860c4408db7be85d707bdcbf1b | Malicious glib-2.0.dll |
| 10039d5e5ee5710a067c58e76cd8200451e54b55 | Malicious glib-2.0.dll |
| ff01473073c5460d1e544f5b17cd25dadf9da513 |
Malicious glib-2.0.dll |
| e35a702db47cb11337f523933acd3bce2f60346d |
Encrypted Cobalt Strike payload – c0000015.log |
| 82bd4273fa76f20d51ca514e1070a3369a89313b |
Encrypted Cobalt Strike payload – c0000015.log |
| 091b490500b5f827cc8cde41c9a7f68174d11302 |
Decrypted Cobalt Strike payload – c0000015.log |
| 0815277e12d206c5bbb18fd1ade99bf225ede5db |
Encrypted Cobalt Strike payload – c0000013.log |
| eed31d16d3673199b34b48fb74278df8ec15ae33 | Malicious mpclient.dll |
| 149.28.137[.]7 | Cobalt Strike C2 |
| 45.32.108[.]54 |
IP where the attacker staged the malicious payloads to be downloaded |
| 139.180.184[.]147 |
Attacker C2 used to receive data from executed commands |
| info.openjdklab[.]xyz | Domain used by the mpclient.dll |
|
38745539b71cf201bb502437f891d799 (MD5) F2a72bee623659d3ba16b365024020868246d901 (SHA1) 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56 bba1fe4eda932ce (Sha256) |
LockBit 3.0 EXE file |
References:
CYBLE
SentinelOne blog
