LockBit 3.0 is distributed via Word documents that masquerade as job applications and trigger malicious macros to deploy encryption. The operation leverages PowerShell, mshta, and VBScript backdoors, with evasion techniques such as renaming components to avoid detection, and a new extortion model targeting multiple sectors including BFSI.
#LockBit3 #LockBitBlack #PowerShell #VBScript #MShta #NSIS #JobApplications #LimGyuMin #JeonChaeRin
#LockBit3 #LockBitBlack #PowerShell #VBScript #MShta #NSIS #JobApplications #LimGyuMin #JeonChaeRin
Keypoints
- LockBit 3.0 uses Word documents disguised as job applications (NSIS format) to deliver the ransomware.
- In one case, an attack chain involves a compromised IIS launching a remote PowerShell script that calls another script embedded in a Google Sheets document.
- To evade monitoring, attackers renamed copies of PowerShell and mshta.exe (a tactic Sophos calls “PS Rename”).
- The backdoor installs modules and uses VBScript, downloading and executing a second backdoor on system restart.
- LockBit 3.0 has introduced a new extortion model and shows rapid affiliate adoption, with BFSI sectors heavily affected.
- Indicators of compromise include multiple hash values (MD5, SHA-256, SHA-1) and URLs used to fetch payloads (e.g., a DLL/EXE chain).
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – “Recently, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format.”
- [T1059.001] PowerShell – “attack began from a compromised Internet Information Server that launched a remote PowerShell script calling another script embedded in a remote Google Sheets document.”
- [T1059.005] Visual Basic – “a malicious VBA macro script is launched.”
- [T1036] Masquerading – “renamed copies of PowerShell and the binary for running Microsoft HTML Applications (mshta.exe)”
- [T1105] Ingress Tool Transfer – “Additional malicious files are obtained from hxxp:/ppaauuaa11232[.]cc/aaa.exe … saved in C:UsersPublic156498415616651651984561561658456.exe before being executed.”
- [T1486] Data Encrypted for Impact – “Files Encryption.”
- [T1071] Command and Control – “connects to a command and control server to retrieve and install a PowerShell module for adding a backdoor.”
Indicators of Compromise
- [MD5] context – 2d8b6275dee02ea4ed218ba2673b834e, 97c07d03556ddcfc8ebfa462df546eb5, and 2 more hashes
- [SHA-256] context – a38149df362f90430a7042723e93963a6cecd87c77284d6ed23f7bc1ba6cd5eb, 1f0617725b2a0b0c3bb1067f0b77da049da0545710d9743813969b3bbcc563f4, and 2 more hashes
- [SHA-1] context – 373b7298af62ab6d9be5c75c85290d3de38f5f82, c625a62c9fc3abbd7cba88e275ddb2c07368856f, and 2 more hashes
- [URL] context – http[:]//ppaauuaa11232[.]cc/dlx5rc[.]dotm, http[:]//ppaauuaa11232[.]cc/aaa[.]exe