Trend Micro researchers analyze a new SolidBit variant that disguises itself as legitimate gaming/social apps on GitHub to lure victims and recruit ransomware-as-a-service affiliates. The campaign features multi-stage infection (Rust LoL Accounts Checker -> Lol Checker x64.exe -> Runtime64.exe), anti-analysis techniques, and a LockBit-like persona, with strong encryption and persistence mechanisms. #SolidBit #Yashma #Chaos #LockBit #LeagueOfLegends #GitHub
Keypoints
- The SolidBit variant masquerades as legitimate tools (e.g., League of Legends account checker) on GitHub to attract gamers and social media users.
- The infection chain starts with Rust LoL Accounts Checker.exe, which downloads and launches Lol Checker x64.exe, then Runtime64.exe to drop the ransomware.
- The sample uses anti-analysis and obfuscation (Safengine Shielden) and triggers error windows to hinder debugging/VM detection.
- Windows Defender is disabled via a PowerShell command to reduce detection during installation.
- Autostart is achieved by creating a Run key registry entry (SoftwareMicrosoftWindowsCurrentVersionRun, UpdateTask).
- Files are encrypted with AES-256, use the .SolidBit extension, and a ransom note RESTORE-MY-FILES.txt is dropped; shadow copies and backup catalogs are deleted to impede recovery.
MITRE Techniques
- [T1036] Masquerading – The sample disguises itself as a League of Legends account checker tool on GitHub to lure victims. Quote: “…masquerading as different applications, including a League of Legends account checker tool on GitHub…”
- [T1059.001] PowerShell – It uses a PowerShell command to modify Defender settings during execution. Quote: “…PowerShell command “Add-MpPreference -ExclusionPath …””
- [T1105] Ingress Tool Transfer – The ransomware chain downloads and executes additional components (Rust LoL Accounts Checker.exe downloads and executes Lol Checker x64.exe; Lol Checker x64.exe launches Runtime64.exe). Quote: “Rust LoL Accounts Checker.exe downloads and executes Lol Checker x64.exe using the following command: cmd /c start “” %TEMP%LoL Checker x64.exe”
- [T1027] Obfuscated/Compressed Files and Information – The loader is protected/obfuscated by Safengine Shielden to hinder analysis. Quote: “…obfuscates samples and applications to make reverse engineering and analysis more difficult.”
- [T1497.001] Virtualization/Sandbox Evasion – Anti-VM/anti-debugging measures are used (e.g., error windows claiming debugging tools detected). Quote: “an error window appears and claims that debugging tools have been detected … anti-virtualization and anti-debugging capabilities.”
- [T1547.001] Boot or Logon Autostart Execution – The ransomware creates a registry Run key with the value UpdateTask for persistence. Quote: “the registry key to a directory named “SoftwareMicrosoftWindowsCurrentVersionRun” with the value “UpdateTask” as its autostart mechanism”
- [T1486] Encrypt Files – Uses 256-bit AES to encrypt files and appends the .SolidBit extension. Quote: “256-bit Advanced Encryption Standard (AES) encryption to encrypt the files … The ransomware will also append the .SolidBit file extension to the encrypted files”
- [T1490] Inhibit System Recovery – Deletes shadow copies and backup catalogs to hinder recovery. Quote: “delete shadow copies (Figure 15) and backup catalogs (Figure 16)”
- [T1562.001] Disable or Modify Tools – Disables Windows Defender real-time scans via a PowerShell command. Quote: “command … to Add-MpPreference -ExclusionPath … -Force”
- [T1574] Hijack Execution Flow – Uses a multi-stage payload drop to ensure the SolidBit ransomware runs in the target environment. Quote: “and will drop and execute the file Runtime64.exe, which we analyzed as the SolidBit ransomware”
Indicators of Compromise
- [File name] context – Rust LoL Accounts Checker.exe, Lol Checker x64.exe, Runtime64.exe, RESTORE-MY-FILES.txt
- [Registry] context – Registry Run key path SoftwareMicrosoftWindowsCurrentVersionRun with value UpdateTask
- [File extension] context – .SolidBit (extension appended to encrypted files)