Threat Research

A technical analysis of the leaked LockBit 3.0 builder

Securonix

Two-sentence analysis of the leaked LockBit 3.0 builder, detailing how it generates RSA keys, embeds resources, and produces encryptor/decryptor payloads, with implications for potential LockBit forks. The piece highlights the tool’s capabilities and mentions related observations such as DarkSide-era techniques and possible forking of LockBit variants. #LockBit #LockBit3 #DarkSide #Conti

Keypoints

  • The LockBit 3.0 builder was leaked on September 21, 2022, with a toolset that can generate RSA keys embedded in encryptor/decryptor components.
  • The builder.exe was compiled on September 13, 2022, and keygen.exe generates RSA keys saved as pub.key and priv.key (RSA keys are Base64-encoded).
  • The analysis documents how the tool reads command-line arguments via GetCommandLineW and CommandLineToArgvW to decide which executable to generate (encryptor vs decryptor).
  • The process accesses the private key file using CreateFileW, reads it with ReadFile, and base64-decodes the private key; the ransom note/config data are also handled from config.json.
  • Config.json defines whitelisted folders/files/extensions, processes/services to stop, and ransom note content; a custom hashing function computes 4-byte hashes per whitelisted item, later Base64-encoded.
  • The malware uses RDRAND and RDSEED for random value generation, combines them with hard-coded values via XOR, and XORs a buffer containing the private key as part of obfuscation.
  • Two randomization-related techniques (e.g., -pass to dodge sandboxes) are noted, with SentinelOne referencing similar behavior; this suggests shared code and potential for DarkSide-like borrowings.

MITRE Techniques

  • [T1059] Command-Line Interface – The malware reads and parses the command line using GetCommandLineW and CommandLineToArgvW to decide actions. ‘The CommandLineToArgvW API is utilized to obtain an array of pointers to the command line arguments.’
  • [T1106] Native API – The builder opens the RSA private key with CreateFileW, reads it with ReadFile, and writes modified resources with WriteFile. ‘The builder opens the RSA private key file by calling the CreateFileW … The process reads the above file content using the ReadFile API.’
  • [T1132] Data Encoding – RSA keys are Base64-encoded/decoded as part of key handling. ‘The RSA private key is Base64-decoded by the malicious process.’
  • [T1027] Obfuscated/Encoded Files and Information – The RSA private key and ransom note are Base64-encoded and XORed with random values during preparation. ‘The malware implements a custom “hashing” function … The resulting buffer containing the hashes is Base64-encoded by the builder.’
  • [T1562.001] Impair Defenses – The -pass parameter is used to avoid sandboxes and hinder dynamic analysis. ‘If it’s running with the “-pass” parameter, the ransomware avoids sandboxes and increases the difficulty of the dynamic analysis.’

Indicators of Compromise

  • [File] pub.key – RSA public key file (generated/used by the builder) – used to encrypt/decrypt components
  • [File] priv.key – RSA private key file (generated/used by the builder) – used to encrypt/decrypt components
  • [File] LB3Decryptor.exe – decryptor payload generated by the builder
  • [File] LB3.exe – final encryptor payload
  • [File] LB3_Rundll32.dll – DLL variant of the encryptor payload
  • [File] LB3_ReflectiveDll_DllMain.dll – reflective DLL variant of the encryptor
  • [File] config.json – ransom configuration (whitelist, processes to stop, ransom note)
  • [Hash] A736269F5F3A9F2E11DD776E352E1801BC28BB699E47876784B8EF761E0062DB – SHA256 hash related to the builder

Read more: https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/