LockBit ransomware operators use sophisticated DLL sideloading and masquerading techniques to evade detection and execute malicious payloads under the cover of legitimate system processes. These techniques are integrated throughout the attack chain, from initial access to encryption, enabling persistence and stealth in compromised environments. #LockBit #DLLSideloading #Masquerading #Syrphid
Keypoints
- LockBit ransomware employs DLL sideloading by bundling malicious DLLs with legitimate applications to execute ransomware payloads stealthily.
- Masquerading techniques include renaming ransomware executables to mimic system processes, spoofing process names, using legitimate application icons, and placing files in trusted directories.
- Attackers leveraged trusted applications such as jarsigner.exe, MpCmdRun.exe, and Clink_x86.exe alongside malicious DLLs for payload execution.
- The attack chain involves initial access via remote desktop tools, privilege escalation through NSSM and PsExec, credential theft using TokenUtils.exe and Sd1.exe, lateral movement via Group Policy, and ransomware payload deployment.
- LockBit ransomware executes obfuscated PowerShell scripts to encrypt a wide range of file types using AES encryption and RSA-secured keys.
- Syrphid, a cybercrime group linked to LockBit ransomware, was disrupted in 2024; however, the ransomware builder was leaked, enabling wider threat actor usage.
- Carbon Black and Symantec EDR solutions detected numerous alerts related to LockBit activity including ransomware signatures, PSEXEC usage, and network reconnaissance tools.
MITRE Techniques
- [T1071] Application Layer Protocol – Use of remote desktop tools like TeamViewer and MeshAgent for initial access (‘accessing machines using well-known remote desktop tools like MeshAgent, TeamViewer’).
- [T1053] Scheduled Task/Job – NSSM used to run a remote access Trojan as a Windows service (‘NSSM was used to run a remote access Trojan (RAT) as a service’).
- [T1078] Valid Accounts – Credential theft performed using TokenUtils.exe to steal user tokens and Sd1.exe to steal Kerberos tickets (‘TokenUtils.exe was used to steal tokens; Sd1.exe was also used to steal Kerberos tickets’).
- [T1021] Remote Services – Lateral movement with Group Policy to drop and execute payloads (‘Group Policy was used to drop payloads on the machines and started executing files’).
- [T1055] Process Injection – Masquerading by injecting code or manipulating process names to disguise malicious processes (‘manipulate process names to appear as legitimate services or applications’).
- [T1574] Hijack Execution Flow – DLL sideloading where legitimate applications load malicious DLLs (‘legitimate application inadvertently loads the malicious DLL’).
- [T1486] Data Encrypted for Impact – Execution of obfuscated PowerShell commands to encrypt files with AES and RSA encryption (‘malicious obfuscated PowerShell command to encrypt certain file types’).
Indicators of Compromise
- [File Hash] LockBit related malicious files – f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97 (nssm.exe), 5ca8e1d001a2c3800afce017424ca471f3cba41f9089791074a9cb7591956430 (tokenutils.exe), 0201a6dbe62d35b81d7cd7d7a731612458644b5e3b1abe414b0ea86d3266ab03 (sd1.exe), and 1cd644b750884906b707419c8f40598c04f1402e4e93cbf4a33f3254846dc870 (.exe).
- [File Hash] Masqueraded DLLs and executables – edcf76600cd11ef7d6a5c319087041abc604e571239fe2dae4bca83688821a3a (mpclient.dll), 011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb (access.exe), 4147589aa11732438751c2ecf3079fb94fa478a01ac4f08d024fb55f7ffb52f3 (clink_dll_x86.dll).
- [Domain] Malicious C2 infrastructure – msupdate[.]updatemicfosoft[.]com used in communication with compromised hosts.
Read more: https://www.security.com/threat-intelligence/lockbit-ransomware-attack-techniques