LockBit 3.0, dubbed LockBit Black, shows Clear borrowings from BlackMatter, including API harvesting, anti-debugging, and a suite of configuration flags that govern encryption and lateral movement. The variant deepens LockBit’s capabilities with BlackMatter-like routines, PowerShell payloads, and extensive infrastructure for targeted, configurable attacks.
#LockBitBlack #BlackMatter
#LockBitBlack #BlackMatter
Keypoints
- LockBit 3.0 is analyzed as having BlackMatter-inspired components and behaviors (nicknamed LockBit Black).
- Sample detection indicates packed Win32 executables with an unknown packer and execution via a -k LocalServiceNetworkRestricted -pass … parameter.
- Encryption includes new extensions, ransom notes, and wallpaper changes, with the ransom note referencing GDPR and Ilon Musk.
- Code similarities to BlackMatter include API harvesting, string decryption, and a trampoline-based approach to API calls.
- LockBit 3.0 uses extensive configuration flags (24 total) to control its routines, including privilege escalation and lateral movement.
- Lateral movement can occur via admin shares and group policy updates, with PowerShell-based samples observed in the wild.
- The malware checks UI language to avoid specific regions, and employs antidebugging and anti-recovery techniques (WMI shadow copy deletion).
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – LockBit 3.0 uses packing and obfuscated strings; “Using the packer identifier utility Detect It Easy, we found that this particular LockBit 3.0 sample is a Win32 .exe file with multiple sections packed with an unknown packer.”
- [T1140] Deobfuscate/Decode Files or Information – Strings and routines are decrypted with XOR, XOR+NOT, or an LCG-based method; “the strings are decrypted using a simple bitwise-XOR routine…, or… XOR to key, or an LCG algorithm to generate a pseudorandom key.”
- [T1106] Native API – LockBit 3.0 performs API harvesting by hashing DLL API names and selecting needed APIs; “hashing the API names of a DLL, and then comparing it to the list of the APIs that the ransomware needs.”
- [T1055] Process Injection – A trampoline pointer leads to an allocated heap that eventually calls NtTerminateProcess; “a trampoline pointer… to jump to the API address of the NtTerminateProcess API.”
- [T1059.001] PowerShell – VirusTotal sample shows PowerShell-based payloads with obfuscated layers and reflective loading; “PowerShell script containing two layers of obfuscated code.”
- [T1562.001] Impair Defenses: ThreadHideFromDebugger – Anti-debugging technique using ThreadHideFromDebugger via NtSetThreadInformation; “set the thread information to ThreadHideFromDebugger (0x11) via the NtSetThreadInformation API.”
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement via admin shares; “Performs lateral movement via admin shares.”
- [T1082] System Information Discovery – Language checks to avoid targeted countries; “checks the victim machine’s UI language to avoid infecting machines…”
- [T1078] Valid Accounts – Credential use from internal configuration to determine if the system is part of the domain admin; “Attempts to log in using credentials from its configuration list to determine if the compromised system is a part of the domain admin.”
Indicators of Compromise
- [SHA-256] 80e8defa5377018f093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce – Ransom.Win32.LOCKBIT.YXCGD
- [SHA-256] a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e – Ransom.Win32.LOCKBIT.YXCGFT
- [SHA-256] d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee – Ransom.Win32.LOCKBIT.YXCGD
- [SHA-256] 506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51 – Ransom.Win32.LOCKBIT.YXCGKT
- [SHA-256] c597c75c6b6b283e3b5c8caeee095d60902e7396536444b59513677a94667ff8 – Ransom.PS1.LOCKBIT.YXCGTT
- [SHA-256] 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 – Ransom.Win32.LOCKBIT.YXCGT
- [SHA-256] (additional) – Ransom.Win32.LOCKBIT.YXCGD