www.seqrite.com
Open in
urlscan Pro
103.228.50.20
Public Scan
URL:
https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/
Submission: On March 22 via api from DE — Scanned from DE
Submission: On March 22 via api from DE — Scanned from DE
Form analysis
6 forms found in the DOMGET https://www.seqrite.com/blog
<form method="get" class="searchform search-form" action="https://www.seqrite.com/blog">
<fieldset>
<input type="text" name="s" class="s" value="" placeholder="">
<button class="search-button" type="submit" value="Search">SEARCH</button>
</fieldset>
</form>
POST https://www.seqrite.com/blog/wp-comments-post.php
<form action="https://www.seqrite.com/blog/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" tabindex="1" name="author" type="text" value="" size="19"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" tabindex="2" name="email" type="text" value="" size="19"></p>
<div class="captchaSizeDivLarge">
<div style="display:none;">
<label for="email_com"><small>Leave this field empty</small></label>
<input type="text" name="email_com" id="email_com" value="">
</div>
<img id="si_image_com" tabindex="4" class="si-captcha" src="https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/securimage_show.php?si_form_id=com&prefix=oTJOOMy5ZWm8zMxF" width="175" height="60"
alt="CAPTCHA Image" title="CAPTCHA Image">
<input id="si_code_com" name="si_code_com" type="hidden" value="oTJOOMy5ZWm8zMxF">
<div id="si_refresh_com">
<a href="#" rel="follow" title="Refresh Image" onclick="si_captcha_refresh('si_image_com','com','/blog/wp-content/plugins/si-captcha-for-wordpress/captcha','https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/securimage_show.php?si_form_id=com&prefix='); return false;" data-wpel-link="internal" target="_self">
<img class="captchaImgRefresh" src="https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/images/refresh.png" width="22" height="20" alt="Refresh Image" onclick="this.blur();"></a>
</div>
</div>
<br>
<p><input id="captcha_code" name="captcha_code" type="text" size="6" tabindex="5">
<label id="captcha_code_label" for="captcha_code">CAPTCHA Code</label><span class="required"></span>
</p>
<p class="comment-form-comment"><label for="comment">Comments <span class="required">*</span></label><textarea id="comment" tabindex="3" name="comment" cols="45" rows="8" aria-required="true"></textarea></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Submit "> <input type="hidden" name="comment_post_ID" value="5541" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>
GET https://www.seqrite.com/blog
<form method="get" class="searchform search-form" action="https://www.seqrite.com/blog">
<fieldset>
<input type="text" name="s" class="s" value="" placeholder="">
<button class="search-button" type="submit" value="Search">SEARCH</button>
</fieldset>
</form>
POST #
<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="1"> <input type="hidden"
name="form_id" value="1">
<input type="hidden" name="es_email_page" value="5541">
<input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
<input type="hidden" name="status" value="Unconfirmed">
<input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe Now">
<span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>
POST #
<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="0"> <input type="hidden"
name="form_id" value="0">
<input type="hidden" name="es_email_page" value="5541">
<input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
<input type="hidden" name="status" value="Unconfirmed">
<input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>
POST #
<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
<div class="es_caption">Subscribe to our blog and get regular cybersecurity updates delivered to your inbox.</div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="1"> <input type="hidden"
name="form_id" value="0">
<input type="hidden" name="es_email_page" value="5541">
<input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
<input type="hidden" name="status" value="Unconfirmed">
<input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>
Text Content
SEARCH * * News * Security * Products * About Seqrite * * * * * * Blog * * News * Security * Products * About Seqrite Home / Ransomware / Uncovering LockBit Black’s Attack Chain and Anti-forensic activity 01 February 2023 UNCOVERING LOCKBIT BLACK’S ATTACK CHAIN AND ANTI-FORENSIC ACTIVITY Written by Sathwik Ram Prakki Ransomware * * * * * Estimated reading time: 6 minutes Since the infamous Conti ransomware group disbanded due to source code leaks during the Russia-Ukraine war, the LockBit group has claimed dominance. The group has adopted new extortion techniques and added a first-of-its-kind bug-bounty program, along with many features, to advance their new leak site. Upon investigation and analysis, we have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. ATTACK OVERVIEW LockBit’s new Black variant showed anti-forensic activities which cleared event logs, killed multiple tasks, and deleted services simultaneously. It obtains initial access to the victim’s network via SMB brute forcing from various IPs. Fig. 1 – Attack Chain The sys-internal tool PSEXEC is used to execute malicious BAT files on a single system which were later cleaned off. These files indicate activity related to modifying RDP & authentication settings while disabling antivirus at the same time: * C:\Windows\system32\cmd.exe /c “”openrdp.bat” “ * C:\Windows\system32\cmd.exe /c “”mimon.bat” “ * C:\Windows\system32\cmd.exe /c “”auth.bat” “ * C:\Windows\system32\cmd.exe /c “”turnoff.bat” “ PSEXEC is also used to spread laterally across the victim’s network to execute the ransomware payload. The encryption is done using a multi-threaded approach where only shared drives got encrypted. The executed payload must have a valid key passed along with the command-line option ‘-pass.’ The encrypted files are appended with the .zbzdbs59d extension, which suggests that the builder generates each payload with a random static string. PAYLOAD ANALYSIS The ransomware payload is dropped inside the Windows directory, where every variant requires a unique key to be passed as an argument. This feature was previously known to be used by other ransomware groups like BlackCat and Egregor. Even if the name of the payload is changed from ‘Lock.exe’ to anything else or put in any other directory, it does not run. The pass key used in this case is 60c14e91dc3375e4523be5067ed3b111. Let us look at a few stages of the payload below: DECRYPTING SECTIONS Fig. 2 – Pseudo code for decrypting PE Sections The key passed in the argument is taken from the command line and verified. If it passes verification, this key is further processed to obtain a 1-byte key to decrypt specific sections obtained by traversing the PEB structure. The three sections decrypted in memory are – TEXT, DATA, and PDATA. RESOLVING OBFUSCATED APIS Being packed and having only a few imports, Win32 APIs are resolved by decrypting the obfuscated string with XOR using the key 0x3A013FD5, which is again unique to each payload. Fig. 3 – Resolving APIs PRIVILEGE ESCALATION When Admin privileges are not present during execution, it uses CMSTPLUA COM to bypass the UAC prompt, a legitimate Windows Connection Manager Service. This elevates the rights from the user to the administrator level with another instance of the ransomware payload, terminating the current process. Fig. 4 – UAC Bypass using CMSTPLUA ANTI-DEBUGGING TECHNIQUE Threads used for file encryption are hidden from the debugger by calling NtSetInformationThread Win32 API via ThreadInformationClass with an undocumented value 0x11 that denotes ThreadHideFromDebugger. This hinders dynamic analysis by not allowing debug information from the current ransomware’s thread to reach the attached debugger. Fig. 5 – Anti-Debugging technique to hide threads ANTI-FORENSIC ACTIVITY As part of wiping out its traces, lots of anti-forensic activity is observed where Windows Event Logs are disabled by setting multiple registry subkeys to value 0. * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\* Specifically, Windows Defender is disabled for evasion. An exhaustive list of Events Cleared. SERVICE DELETION AND PROCESS TERMINATION Process terminated included SecurityHealthSystray.exe and the mutex created during execution was 13fd9a89b0eede26272934728b390e06. Services were enumerated using a pre-defined list and deleted or killed if found on the machine: 1. Sense 2. Sophos 3. Sppsvc 4. Vmicvss 5. Vmvss 6. Vss 7. Veeam 8. Wdnissvc 9. Wscsvc 10. EventLog A few of the services deleted: * sc stop “Undelete” * sc delete “LTService” * sc delete “LTSvcMon” * sc delete “WSearch” * sc delete “MsMpEng” * net stop ShadowProtectSvc * C:\Windows\system32\net1 stop ShadowProtectSvc TASKS KILLED Scheduled tasks are enumerated and deleted, some of which are shown below. An exhaustive list of Tasks Killed. IBM* PrnHtml.exe* DriveLock.exe* MacriumService.exe* sql* PAGEANT.EXE* CodeMeter.exe* ReflectMonitor.exe* vee* firefox.exe* DPMClient.exe* Atenet.Service.exe* sage* ngctw32.exe* ftpdaemon.exe* account_server.exe* mysql* omtsreco.exe mysqld-nt.exe* policy_manager.exe* bes10* nvwmi64.exe* sqlwriter.exe* update_service.exe* black* Tomcat9.exe* Launchpad.exe* BmsPonAlarmTL1.exe* postg* msmdsrv.exe* MsDtsSrvr.exe* check_mk_agent.exe* SHADOW VOLUME COPIES DELETED Volume shadow copies are enumerated using a WMI query and then deleted to prevent system restoration * vssadmin.exe Delete Shadows /All /Quiet REMOVAL OF ALL ACTIVE NETWORK CONNECTIONS * net use * /delete /y REGISTRY ACTIVITY reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v legalnoticecaption /t REG_SZ /d “ATTENTION to representatives!!!! Read before you log on” /f reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v legalnoticetext /t REG_SZ /d “Your system has been tested for security and unfortunately your system was vulnerable. We specialize in file encryption and industrial (economic or corporate) espionage. We don’t care about your files or what you do, nothing personal – it’s just business. We recommend contacting us as your confidential files have been stolen and will be sold to interested parties unless you pay to remove them from our clouds and auction, or decrypt your files. Follow the instructions in your system” /f reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f RANSOM NOTE Before encryption, the ransom note is created in every directory except the Program Files and the Windows directory, which aren’t encrypted. We can see that they have moved the naming convention of ransom notes from ‘Restore-My-Files.txt’ to a static string format “zbzdbs59d.README.txt”. Fig. 6 – Ransom Note The ransom note contains instructions to install the TOR browser, links for a chat, and the personal ID unique to the victim to communicate with the attackers. It also includes the threat message to leak the stolen data if the ransom amount is not paid and ends with the warnings as usual. Multiple TOR mirrors for their leak site can be seen in the ransom note, which is used to reduce redundancy. FILE ENCRYPTION Before starting file encryption, a registry key for DefaultIcon is created to associate an icon to all the encrypted files. Along with this ICO file (zbzdbs59d.ico), a BMP file is also dropped in the C:\ProgramData directory. Files are encrypted by creating multiple threads where each filename is replaced with a random string generated and appending the extension to them. With full encryption completed under 2 minutes it still has the fastest encryption process since LockBit 2.0. Fig. 7 – Encrypted Filenames CHANGING WALLPAPER Finally, the desktop background (different from 2.0 variant) of the victim machine is changed with the systemparametersinfoW win32 API, and displays LockBit Black, and instructions to be followed for decryption. Fig. 8 – Modified Wallpaper CONCLUSION Unprotected systems in the network were brute-forced to run the PSEXEC tool for lateral movement across the systems. This was done to execute LockBit’s latest Black ransomware variant. With LockBit 3.0 introducing its bug bounty program and adopting new extortion tactics, it is mandatory to take precautions like downloading applications only from trusted sources, using antivirus for enhanced protection, and avoiding clicking on any links received through email or social media platforms. As threat actors create their own variants from the leaked LockBit Black’s builder, proactive measures must be taken to stay protected. IOCS MD5 Protection 7E37F198C71A81AF5384C480520EE36E Ransom.Lockbit3.S28401281 HEUR:Ransom.Win32.InP IPS 3.220.57.224 72.26.218.86 71.6.232.6 172.16.116.149 78.153.199.241 72.26.218.86 5.233.194.222 27.147.155.27 192.168.10.54 87.251.67.65 71.6.232.6 64.62.197.182 43.241.25.6 31.43.185.9 194.26.29.113 Jumpsecuritybusiness[.]com SUBJECT MATTER EXPERTS * Tejaswini Sandapolla * Umar Khan A * Parag Patil * Sathwik Ram Prakki Previous PostCalling from the Underground: An alternative way to penetrate cor... Next Post Expiro: Old Virus Resurfaces to Cast New Challenge About Sathwik Ram Prakki Sathwik Ram Prakki is working as a Security Researcher in Security Labs at Quick Heal. His focus areas are Threat Intelligence, Threat Hunting, and writing about... Articles by Sathwik Ram Prakki » RELATED POSTS * SEQRITE EPS ACCREDITED WITH “ADVANCED APPROVED ENDPOINT PROTECTION” FOR PROTECTION AGAINST COMPLEX RANSOMWARE ATTACKS January 3, 2022 * TOP 6 CYBERSECURITY THREATS THAT EVERY STARTUP OR BUSINESS SHOULD HAVE TO BE READY TO FIGHT IN CURRENT TIMES December 3, 2021 * ANYDESK SOFTWARE EXPLOITED TO SPREAD BABUK RANSOMWARE November 24, 2021 NO COMMENTS LEAVE A REPLY.YOUR EMAIL ADDRESS WILL NOT BE PUBLISHED. CANCEL REPLY Name * Email * Leave this field empty CAPTCHA Code Comments * SEARCH Popular Posts * Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018 * 5 Security measures you should take to protect your organization’s network August 11, 2017 * Uncovering LockBit Black’s Attack Chain and Anti-forensic activity February 1, 2023 Featured Authors * Seqrite Follow us for the latest updates and insights related to security for... Read more.. * Sanjay Katkar Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of... Read more.. * Jayesh Kulkarni Jayesh is working as a Security Researcher for a couple of years. He likes to... Read more.. Stay Updated! Email* Topics apt (11) Cyber-attack (32) cyber-attacks (56) cyberattack (11) cyberattacks (12) Cybersecurity (301) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall (11) hackers (11) IoT (10) malware (64) malware attack (23) malware attacks (12) MDM (25) Microsoft (14) Network security (18) Patch Management (12) phishing (18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (15) windows (11) Products * Seqrite MSSP Portal * HawkkScan * HawkkProtect * HawkkHunt XDR * HawkkEye * HawkkEye Endpoint Security Cloud * HawkkEye mSuite * HawkkEye Workspace * Endpoint Security (EPS) * Unified Threat Management * Antivirus for Server * Antivirus for Linux Resources * White Papers * Datasheets * Threat Reports * Manuals * Case Studies About Us * Company Overview * Leadership * Why choose SEQRITE? * Awards & Certifications * Newsroom Archives * By Date * By Category Email* * * * * * * © 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing this website, you agree to our cookie policy. Close Stay Updated! Subscribe to our blog and get regular cybersecurity updates delivered to your inbox. Email*