FortiGuard Labs describes a new LockBit ransomware campaign that uses a multi-stage, defense-evasion approach to bypass AV/EDR, including .img containers, UAC bypass, and auto-login persistence. The campaign targets Spanish-speaking firms in Mexico and Spain, delivering the LockBit payload after a deceptive installation flow. #LockBit #MOTWBypass #UACBypass #SysInternalsAutologon
Keypoints
- The campaign uses a .img container and displays a single visible file to prompt user interaction while hiding other payloads.
- A Python script is executed via the official Python embed package to run subsequent BAT scripts.
- Some variants use a UAC bypass method abusing fodhelper.exe to elevate privileges.
- The BAT script performs multiple steps: password changes, file copies to ProgramData, and autologon persistence for post-boot login.
- It attempts to boot in Safe Mode and to register a Windows service that runs a VBS script, with registry-based persistence.
- If necessary, it places another BAT file to run on logon as a UI shell, and the system is rebooted.
- Ransomware payload is delivered from a password-protected archive, decrypted with 7-zip, and executed to deploy LockBit.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell β The BAT script (4) does several things: 1. Changes the password of the logged-in user. βThe BAT script (4) does several things: 1. Changes the password of the logged-in user.β
- [T1059.006] Command and Scripting Interpreter: Python β A Python script is used in the chain: βIn some of the cases that weβve observed, a python script is executed (2.1) using the official Python embed package.β
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control β βSome variants used a known UAC bypass method abusing the legitimate fodhelper.exe (3.1).β
- [T1059.005] Command and Scripting Interpreter: Visual Basic β The technique is listed as part of the execution flow: βCommand and Scripting Interpreter: Visual Basic.β
- [T1543.003] Create or Modify System Process: Windows Service β βRegister a new service that will run its VBS script (4.1) using sc.exe.β
- [T1053.005] Scheduled Task/Job: Scheduled Task β referenced in the broader execution/persistence sequence of the BAT chain.
- [T1059.003] (reiterated) Windows Command Shell β see above for execution flow in BAT-based steps.
- [T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL β βEnsures that after the system reboots, it logs in without user interaction (using SysInternals Autologon).β
- [T1027.002] Obfuscated Files or Information: Software Packing β βMulti-stage scripts and encrypted archives to unpack payloadsβ
- [T1562.009] Impair Defenses: Safe Mode Boot β βSet the next reboot to be in Safe Mode using bcdedit.exe.β and related Safe-Mode persistence efforts.
- [T1486] Data Encrypted for Impact β βThe final payload is LockBit,β indicating encryption activity for impact.
- [T1529] System Shutdown/Reboot β The BAT/chain reboots the machine as part of persistence and execution.
Indicators of Compromise
- [File hash] IMG SHA256 β 1ef3ae251833be08b6f3e525969ae02c28cb0238e3adb3091e572a10633f7ef7, dad61d9f919a9cc84ae633e948946e7546b21dc4d9d47d19d96fd308c7de40cb, and other hashes
- [File hash] Ransomware executables β cb049c6e59106bbdfd804a9d02bb31ea09a3918018cbb97fb12d2bcf9e475465, 8465c979990e75262d15e93453287d6107f008035d6d6a05bd3a92c2e3fe1d40
- [Domain] poliovocalist[.]com β infrastructure used in the campaign
- [IP] 198.244.187[.]248 β network beacon or C2 traffic
- [IP] 150.129.218[.]231 β network beacon or C2 traffic
- [URL] hxxp://lockbit3jx6je7tm6hhm6zzafgy6hpil3ur6jmc2a4ugan7xzztv6oqd[.]onion β onion-based portal URL
- [URL] hxxp://lockbitdvbpfczc3yrs37kpp6avnrgr7yygi2f45qxvef2yqi36lpxyd[.]onion β onion-based portal URL
Read more: https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign