LockBit 3.0 Being Distributed via Amadey Bot – ASEC BLOG

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Distribution via malicious Word documents and email attachments described as Case 1/Case 2: “There is also a case where the malware was found as “Resume.exe.” The e-mail used in the attack has not been confirmed yet, but the file was run as “Resume.exe.” It was also disguised as an innocuous Word file icon…”
• [T1023] LNK – LNK file is created and used as downloader: “The LNK file is created in the “C:UsersPublicskeml.lnk” pathway and is executed via the following command. > rundll32 url.dll,OpenURL C:UsersPublicskeml.lnk”
• [T1218] Signed Binary Proxy Execution: Rundll32 – Use of rundll32 to run the LNK/loader: “rundll32 url.dll,OpenURL C:UsersPublicskeml.lnk”
• [T1059.001] PowerShell – Download and execute Amadey via PowerShell commands: “The LNK file is a downloader that runs powershell command to download and run Amadey.”
• [T1027] Obfuscated/Compressed Files and Information – Powershell scripts are obfuscated before execution: “The powershell files are initially obfuscated, and are structured to be executed after being unobfuscated in the memory.”
• [T1053.005] Scheduled Task/Job – Persistence via Task Scheduler: “c:windowssystem32schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr “c:users[username]appdatalocaltemp…rovwer.exe” /f
• [T1036] Masquerading – Files disguised as innocuous Word items: “Amadey Bot disguised as innocuous Word file icon”
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communications and downloads from web addresses: “Amadey receives three commands from the C&C server, and they are all commands that download and execute malware from the external source.”
• [T1486] Data Encrypted for Impact – LockBit encryption behavior: “Lockbit ransomware infects files … creates a ransom note in each folder.”