LockBit 3.0 is distributed via phishing emails disguised as job applications, using NSIS installers that deliver a nested payload. It encrypts user files, disables security services, and leaves a ransom note and wallpaper changes, with AhnLab detailing detections and IOCs. #LockBit3.0 #JobApplicationPhishing
Keypoints
- LockBit 3.0 is spread through phishing emails that disguise the attachment as a job application resume.
- Some emails include a password in the body or file name to help targeted recipients decompress and run the payload.
- The compressed file contains another .alz archive; uncompressing reveals the ransomware file disguised with an HWP icon inside.
- The NSIS installer uses a script ([NSIS].nsi) to generate a temporary file and inject the decrypted LockBit 3.0 payload for execution.
- On infection, the malware alters registry values to disable security services (sppsvc, WinDefend, wscsvc, VSS).
- It encrypts user files, changes file icons and names, creates a ransom note, and changes the wallpaper to signal encryption.
- AhnLab reports specific detections and IOCs for this campaign, including file hashes and named detections.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign distributes the ransomware via email attachments disguised as job applications; “recently it is being distributed as a phishing email disguised as an email on the subject of job applications.”
- [T1204.002] User Execution – The recipient can decompress and run this file; “only the recipient of said email can decompress and run this file.”
- [T1140] Deobfuscate/Decode Files or Information – The NSIS package decrypts and injects the internal payload; “…executes a shell code in a specific OFFSET position of the ‘1213645181 file’ to decrypt the internal LockBit 3.0 executable and inject it onto itself to run.”
- [T1059] Command and Scripting Interpreter – The NSIS installer runs based on the ‘[NSIS].nsi’ script to carry out execution.
- [T1112] Modify Registry – The malware alters registry values to deactivate security-related services; “When the computer is infected with LockBit 3.0, it alters registry values to deactivate the following services.”
- [T1562.001] Impair Defenses – It deactivates security tools, including Windows Defender and related services; “disable the following services.”
- [T1486] Data Encrypted for Impact – The ransomware encrypts user files and alters their icons/names; “it encrypts the files in the user system, and the encrypted files have their icons changed and their file names changed to ‘Original File Name.[random character array]’.”
- [T1490] Inhibit System Recovery – By disabling Volume Shadow Copy Service (VSS), it hinders recovery efforts; the article lists VSS among the services affected.
Indicators of Compromise
- [Hash] 2c0eeb266061631845a9e21156801afd – Example hash of the LockBit 3.0 payload referenced in the IOC Info.
- [Hash] ad1b5253f07584c0d0c2d3caaf38af34 – Another hash tied to the sample described in the article.
- [Filename] JobApplication_220919(Please check my experiences I’ve also included).exe – One of the distributed payload filenames.
- [Filename] _Application_220919(Please check my experiences I’ve also included).exe – Another distributor filename.
- [Filename] Resume I will work hard please see me as favorable thank you.exe – Example distribution filename.
- [Filename] JobApplication_220907_I will work hard.exe – Example distribution filename.
- [Filename] Resume.exe – Example distribution filename.
- [Filename] 1213645181 file – Created by NSIS process as part of payload delivery/decoding sequence.
- [Family] LockBit 3.0 – Malware family referenced by detection notes.
Read more: https://asec.ahnlab.com/en/39259/