A Go-based ransomware masquerading as LockBit exfiltrates data via AWS S3 Transfer Acceleration to attacker-controlled buckets. The samples contain hard-coded AWS credentials, enabling IOC tracking and leading to AWS account suspensions, highlighting cloud service abuse by threat actors. #LockBit #AWS #S3TransferAcceleration #Golang #AESCTR
Keypoints
- Golang ransomware samples abuse AWS S3 Transfer Acceleration to exfiltrate victim files to attacker-controlled buckets.
- Hard-coded AWS credentials in the samples serve as Indicators of Compromise (IOCs) for tracking malicious activities.
- The ransomware disguises itself as LockBit to leverage its notoriety and pressure victims.
- Findings were shared with AWS Security, confirming activity violated AWSβs acceptable use policy and leading to suspensions.
- Encryption and exfiltration employ AES-CTR, with a random master key and RSA-encrypted master key material.
- Cloud service abuse is rising, underscoring the need for vigilant monitoring of cloud resources and use of security solutions such as Vision One.
MITRE Techniques
- [T1041] Exfiltration Over Command and Control β Brief description of how it was used. Quote relevant content using bracket (βUtilizes AWS S3 Transfer Acceleration to upload stolen files.β)
- [T1486] Data Encrypted for Impact β Brief description of how it was used. Quote relevant content using bracket (βEncrypts files using AES-CTR before exfiltration.β)
- [T1003] Credential Dumping β Brief description of how it was used. Quote relevant content using bracket (βHard-coded AWS credentials are used for accessing AWS resources.β)
- [T1036] Masquerading β Brief description of how it was used. Quote relevant content using bracket (βDisguises the ransomware as LockBit to intimidate victims.β)
Indicators of Compromise
- [Credential] AWS Access Keys and Secrets β Hard-coded credentials found in samples (Access Key IDs and Secret Access Keys) for accessing AWS resources
- [Account] AWS Account IDs β Associated AWS Account IDs linked to malicious activities inferred from keys
- [File Hash] Sample file identifiers β 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31, 0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430
- [Endpoint] AWS S3 transfer endpoints β bucketname.s3-accelerate.amazonaws.com, bucketname.s3-accelerate.dualstack.amazonaws.com
- [Hash] MD5 of concatenated bytes used for AES key β 23a3ecc5582d9741073c3bdc317d4930
- [Host] Host UUID / machine identifiers β host machine universal unique identifier (UUID) mentioned in initialization