SentinelOne MDR observed new LOLKEK (GlobeImposter) samples in May 2023 with updated capabilities, including local drive discovery and encryption, as well as a TOR-based victim portal. The article reviews IoCs, ransom-note details, victim-portal workflows, and an OPSEC misstep that ties these campaigns to earlier GlobeImposter activity. #LOLKEK #TA505
Keypoints
- Two LOLKEK samples were observed (compiled May 2023); only one was fully functional.
- The payloads enumerate and encrypt locally available drives, including mounted network shares.
- They attempt to remove Volume Shadow Copies (VSS), with WMIC-formatted calls found in the code.
- Encrypted files gain a .MMM extension and carry a CRYPTO LOCKER marker linking to prior GlobeImposter generations.
- Ransom notes are delivered as ReadMe.txt across locations, directing victims to a TOR-based victim portal for private chat and payment details.
- Ransom demands shown (example: $1350 USD via Bitcoin) and a ticketing-like interface for payments.
- An OPSEC misstep—Apache misconfiguration exposing a status page on the TOR portal—helps link campaigns to earlier GlobeImposter activity.
MITRE Techniques
- [T1005] Data from Local System – The LOLKEK payloads will discover and encrypt any locally available drive including mounted network shares in sequence. “[When launched, the new LOLKEK payloads will discover and subsequently encrypt any locally available drive including mounted network shares in sequence.]”
- [T1083] File and Directory Discovery – The campaign is depicted as “LOLKEK drive enumeration and discovery,” showing local/file system enumeration activity. “[LOLKEK drive enumeration and discovery]”
- [T1490] Inhibit System Recovery – The samples include functionality to remove Volume Shadow Copies (VSS) via WMIC, reducing recovery options. “[WMIC-formatted calls to remove VSS are found in the samples’ code.]”
- [T1486] Data Encrypted for Impact – Encrypted files append a “.MMM” extension, signaling data destruction/impact. “[Encrypted files, once fully processed, will have the “.MMM” extension appended to them.]”
- [T1202] Indirect Command Execution – Use of WMIC-formatted actions reflects indirect execution of commands to modify the system state. “[WMIC-formatted calls to remove VSS are found in the samples’ code.]”
- [T1027.002] Obfuscated Files or Information: Software Packing – Encrypted files carry a CRYPTO LOCKER marker linked to prior GlobeImposter generations, indicating payload obfuscation/packing characteristics. “[Encrypted files contain the same “CRYPTO LOCKER” string seen in said prior generations.]”
Indicators of Compromise
- [SHA1] context – 768b8d81a6b0f779394e4af48755ca3ad77ed951, ed247b58c0680b7c92632209181733e92f1b0721
- [SHA256] context – 08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed, 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f
- [Ransom Notes SHA256] context – 0b179973dc267d9c300e9b7d3c27c67a18d7c79b2cc34927cbe5a465f83c6190, 2c66e5f96470526219f40c6adfd6990cc28d520975da1fdb6bb5497d55a54117
- [Ransom Notes SHA1] context – 456b0bda3f6d9ec9a874daac050b75fc28174510, 88baff4e1751bd364cdb1a4bb5fda4a37ee127c4
- [Emails] context – filessupport@onionmail[.]org
- [URLs/Domains] context – Mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion, https[:]//yip[.]su/2QstD5