Threat Research

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

Securonix

Sophos’ postmortem analysis shows LockBit 3.0 (LockBit Black) carries wormable capabilities and borrows heavily from BlackMatter, including tooling used by affiliates and even legitimate pentesters. The investigation highlights evolving self-spread techniques, obfuscation, anti-debugging, and a broad ecosystem of publicly available tools aiding deployment and evasion. Hashtags: #LockBit3_0 #LockBitBlack #BlackMatter #CobaltStrike #Mimikatz

Keypoints

  • LockBit 3.0 shows wormable capabilities and reuse of BlackMatter code, suggesting a fluid ransomware ecosystem with shared ideas.
  • Affiliates and legitimate penetration testers have used overlapping tooling (Backstab, Cobalt Strike, Mimikatz, Netscan, GMER, AV Remover, PowerShell scripts).
  • Self-spread potential via Windows Group Policy Objects (GPO) or PSExec could speed deployment and lateral movement.
  • Anti-analysis techniques include ROT13-based DLL loading, on-the-fly API resolution, string obfuscation, and a five-type stub for API calls.
  • Thread hiding and printer-based ransom notes, along with deletion of shadow copies, bolster evasion and impact.
  • OS/version checks, network discovery (NetShareEnum), and embedded configuration (in .pdata vs .rsrc) show systematic environment awareness and custom decoding (LCG).
  • Largest toolset comprises widely used utilities (Backstab, GMER, Netscan, Mimikatz, Cobalt Strike) and a password-locked variant (lbb_pass.exe), with cross-linkages to REvil and BlooDy.

MITRE Techniques

  • [T1021] Remote Services – Lateral movement using PSExec and potential GPO-based spread to propagate ransomware across systems. ‘self-spread using Windows Group Policy Objects (GPO) or the tool PSExec’
  • [T1059.001] PowerShell – Use of PowerShell scripts, including those designed to remove security tooling. ‘PowerShell scripts designed to remove Sophos products’
  • [T1047] Windows Management Instrumentation – Uses IWbemLocator::ConnectServer and IWbemServices::ExecQuery to operate within the local WMI namespace. ‘IWbemLocator::ConnectServer … IWbemServices::ExecQuery’
  • [T1082] System Information Discovery – OS version checks to determine environment. ‘Determining the operating system version’
  • [T1135] Network Share Discovery – Enumerates network hostnames via NetShareEnum. ‘enumerating hostnames on the network by calling NetShareEnum’
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation of strings and runtime decoding with XOR; dynamic string resolution. ‘Many strings … obfuscated, resolved during runtime by pushing the obfuscated strings on to the stack and decrypting with an XOR function’
  • [T1106] Native API – Dynamic API resolution and on-the-fly API stubs to obscure calls. ‘resolve API calls … a small piece of shellcode that performs API hash resolution on the fly’
  • [T1562.001] Impair Defenses: Hide Artifacts – Hiding threads using NtSetInformationThread with ThreadHideFromDebugger to avoid debugger events. ‘hide threads … ThreadHideFromDebugger’
  • [T1490] Inhibit System Recovery – Deletion of shadow copies to prevent recovery. ‘deleting the Volume Shadow Copy files’
  • [T1003] Credential Dumping – Use of Mimikatz to harvest credentials. ‘Mimikatz’
  • [T1047] Windows Management Instrumentation (WMI) – Uses WMI queries for shadow copy deletion operations. ‘IWbemLocator::ConnectServer … IWbemServices::ExecQuery’

Indicators of Compromise

  • [File name] context – lbb_pass.exe, sophoscentralremoval-master.zip, and sophos-removal-tool-master.zip
  • [Tool/Software] context – Backstab, GMER, AV Remover, Netscan, Mimikatz, Cobalt Strike
  • [Hex marker] context – 0xABABABAB data marker within code for anti-debug checks

Read more: https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/