urlscan.io logo urlscan.io
SecurityTrails logo

www.seqrite.com Open in urlscan Pro
103.228.50.20  Public Scan

Back to summary
URL: https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/
Submission: On March 22 via api from DE — Scanned from DE

Form analysis 6 forms found in the DOM

GET https://www.seqrite.com/blog

<form method="get" class="searchform search-form" action="https://www.seqrite.com/blog">
  <fieldset>
    <input type="text" name="s" class="s" value="" placeholder="">
    <button class="search-button" type="submit" value="Search">SEARCH</button>
  </fieldset>
</form>

POST https://www.seqrite.com/blog/wp-comments-post.php

<form action="https://www.seqrite.com/blog/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" tabindex="1" name="author" type="text" value="" size="19"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" tabindex="2" name="email" type="text" value="" size="19"></p>
  <div class="captchaSizeDivLarge">
    <div style="display:none;">
      <label for="email_com"><small>Leave this field empty</small></label>
      <input type="text" name="email_com" id="email_com" value="">
    </div>
    <img id="si_image_com" tabindex="4" class="si-captcha" src="https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/securimage_show.php?si_form_id=com&amp;prefix=oTJOOMy5ZWm8zMxF" width="175" height="60"
      alt="CAPTCHA Image" title="CAPTCHA Image">
    <input id="si_code_com" name="si_code_com" type="hidden" value="oTJOOMy5ZWm8zMxF">
    <div id="si_refresh_com">
      <a href="#" rel="follow" title="Refresh Image" onclick="si_captcha_refresh('si_image_com','com','/blog/wp-content/plugins/si-captcha-for-wordpress/captcha','https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/securimage_show.php?si_form_id=com&amp;prefix='); return false;" data-wpel-link="internal" target="_self">
      <img class="captchaImgRefresh" src="https://www.seqrite.com/blog/wp-content/plugins/si-captcha-for-wordpress/captcha/images/refresh.png" width="22" height="20" alt="Refresh Image" onclick="this.blur();"></a>
    </div>
  </div>
  <br>
  <p><input id="captcha_code" name="captcha_code" type="text" size="6" tabindex="5">
    <label id="captcha_code_label" for="captcha_code">CAPTCHA Code</label><span class="required"></span>
  </p>
  <p class="comment-form-comment"><label for="comment">Comments <span class="required">*</span></label><textarea id="comment" tabindex="3" name="comment" cols="45" rows="8" aria-required="true"></textarea></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Submit "> <input type="hidden" name="comment_post_ID" value="5541" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
</form>

GET https://www.seqrite.com/blog

<form method="get" class="searchform search-form" action="https://www.seqrite.com/blog">
  <fieldset>
    <input type="text" name="s" class="s" value="" placeholder="">
    <button class="search-button" type="submit" value="Search">SEARCH</button>
  </fieldset>
</form>

POST #

<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
  <div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="1"> <input type="hidden"
    name="form_id" value="1">
  <input type="hidden" name="es_email_page" value="5541">
  <input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
  <input type="hidden" name="status" value="Unconfirmed">
  <input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
  <label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
  <input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe Now">
  <span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>

POST #

<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
  <div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="0"> <input type="hidden"
    name="form_id" value="0">
  <input type="hidden" name="es_email_page" value="5541">
  <input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
  <input type="hidden" name="status" value="Unconfirmed">
  <input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
  <label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
  <input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe">
  <span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>

POST #

<form action="#" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_1679447403" data-source="ig-es">
  <div class="es_caption">Subscribe to our blog and get regular cybersecurity updates delivered to your inbox.</div>
  <div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email" type="email" name="email" value="" placeholder="" required=""></label></div> <input type="hidden" name="lists[]" value="1"> <input type="hidden"
    name="form_id" value="0">
  <input type="hidden" name="es_email_page" value="5541">
  <input type="hidden" name="es_email_page_url" value="https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/">
  <input type="hidden" name="status" value="Unconfirmed">
  <input type="hidden" name="es-subscribe" id="es-subscribe" value="e6ce26b52d">
  <label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="text" name="es_hp_ffe1f64f46" class="es_required_field" tabindex="-1" autocomplete="-1"></label>
  <input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_1679447403" value="Subscribe">
  <span class="es_spinner_image" id="spinner-image"><img src="https://www.seqrite.com/blog/wp-content/plugins/email-subscribers/public/images/spinner.gif"></span>
</form>

Text Content

SEARCH
 * 
 * News
 * Security
 * Products
 * About Seqrite

 * 
 * 
 * 
 * 
 * 
 * 

Blog
 * 
 * News
 * Security
 * Products
 * About Seqrite

Home  /  Ransomware  /  Uncovering LockBit Black’s Attack Chain and
Anti-forensic activity
01 February 2023


UNCOVERING LOCKBIT BLACK’S ATTACK CHAIN AND ANTI-FORENSIC ACTIVITY

Written by Sathwik Ram Prakki


Ransomware
 * 
 * 
 * 
 * 
 * 


Estimated reading time: 6 minutes

Since the infamous Conti ransomware group disbanded due to source code leaks
during the Russia-Ukraine war, the LockBit group has claimed dominance. The
group has adopted new extortion techniques and added a first-of-its-kind
bug-bounty program, along with many features, to advance their new leak
site. Upon investigation and analysis, we have determined that the new LockBit
3.0 variant has a high infection vector and attack chain exhibiting substantial
anti-forensic activity.


ATTACK OVERVIEW

LockBit’s new Black variant showed anti-forensic activities which cleared event
logs, killed multiple tasks, and deleted services simultaneously. It obtains
initial access to the victim’s network via SMB brute forcing from various IPs.



Fig. 1 – Attack Chain

The sys-internal tool PSEXEC is used to execute malicious BAT files on a single
system which were later cleaned off. These files indicate activity related to
modifying RDP & authentication settings while disabling antivirus at the same
time:

 * C:\Windows\system32\cmd.exe /c “”openrdp.bat” “
 * C:\Windows\system32\cmd.exe /c “”mimon.bat” “
 * C:\Windows\system32\cmd.exe /c “”auth.bat” “
 * C:\Windows\system32\cmd.exe /c “”turnoff.bat” “

PSEXEC is also used to spread laterally across the victim’s network to execute
the ransomware payload. The encryption is done using a multi-threaded approach
where only shared drives got encrypted. The executed payload must have a valid
key passed along with the command-line option ‘-pass.’ The encrypted files are
appended with the .zbzdbs59d extension, which suggests that the builder
generates each payload with a random static string.


PAYLOAD ANALYSIS

The ransomware payload is dropped inside the Windows directory, where every
variant requires a unique key to be passed as an argument. This feature was
previously known to be used by other ransomware groups like BlackCat and
Egregor. Even if the name of the payload is changed from ‘Lock.exe’ to anything
else or put in any other directory, it does not run. The pass key used in this
case is 60c14e91dc3375e4523be5067ed3b111.

Let us look at a few stages of the payload below:


DECRYPTING SECTIONS



Fig. 2 – Pseudo code for decrypting PE Sections

The key passed in the argument is taken from the command line and verified. If
it passes verification, this key is further processed to obtain a 1-byte key to
decrypt specific sections obtained by traversing the PEB structure. The three
sections decrypted in memory are – TEXT, DATA, and PDATA.


RESOLVING OBFUSCATED APIS

Being packed and having only a few imports, Win32 APIs are resolved by
decrypting the obfuscated string with XOR using the key 0x3A013FD5, which is
again unique to each payload.



Fig. 3 – Resolving APIs


PRIVILEGE ESCALATION

When Admin privileges are not present during execution, it uses CMSTPLUA COM to
bypass the UAC prompt, a legitimate Windows Connection Manager Service. This
elevates the rights from the user to the administrator level with another
instance of the ransomware payload, terminating the current process.



Fig. 4 – UAC Bypass using CMSTPLUA


ANTI-DEBUGGING TECHNIQUE

Threads used for file encryption are hidden from the debugger by calling
NtSetInformationThread Win32 API via ThreadInformationClass with an undocumented
value 0x11 that denotes ThreadHideFromDebugger. This hinders dynamic analysis by
not allowing debug information from the current ransomware’s thread to reach the
attached debugger.



Fig. 5 – Anti-Debugging technique to hide threads


ANTI-FORENSIC ACTIVITY

As part of wiping out its traces, lots of anti-forensic activity is observed
where Windows Event Logs are disabled by setting multiple registry subkeys to
value 0.

 * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\*

Specifically, Windows Defender is disabled for evasion. An exhaustive list of
Events Cleared.

SERVICE DELETION AND PROCESS TERMINATION

Process terminated included SecurityHealthSystray.exe and the mutex created
during execution was 13fd9a89b0eede26272934728b390e06. Services were enumerated
using a pre-defined list and deleted or killed if found on the machine:

 1.  Sense
 2.  Sophos
 3.  Sppsvc
 4.  Vmicvss
 5.  Vmvss
 6.  Vss
 7.  Veeam
 8.  Wdnissvc
 9.  Wscsvc
 10. EventLog

A few of the services deleted:

 * sc stop “Undelete”
 * sc delete “LTService”
 * sc delete “LTSvcMon”
 * sc delete “WSearch”
 * sc delete “MsMpEng”
 * net stop ShadowProtectSvc
 * C:\Windows\system32\net1 stop ShadowProtectSvc

TASKS KILLED

Scheduled tasks are enumerated and deleted, some of which are shown below. An
exhaustive list of Tasks Killed.

IBM* PrnHtml.exe* DriveLock.exe* MacriumService.exe* sql* PAGEANT.EXE*
CodeMeter.exe* ReflectMonitor.exe* vee* firefox.exe* DPMClient.exe*
Atenet.Service.exe* sage* ngctw32.exe* ftpdaemon.exe* account_server.exe* mysql*
omtsreco.exe mysqld-nt.exe* policy_manager.exe* bes10* nvwmi64.exe*
sqlwriter.exe* update_service.exe* black* Tomcat9.exe* Launchpad.exe*
BmsPonAlarmTL1.exe* postg* msmdsrv.exe* MsDtsSrvr.exe* check_mk_agent.exe*

SHADOW VOLUME COPIES DELETED

Volume shadow copies are enumerated using a WMI query and then deleted to
prevent system restoration

 * vssadmin.exe Delete Shadows /All /Quiet

REMOVAL OF ALL ACTIVE NETWORK CONNECTIONS

 * net use * /delete /y

REGISTRY ACTIVITY

reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v legalnoticecaption /t REG_SZ /d “ATTENTION to representatives!!!! Read before
you log on” /f reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v legalnoticetext /t REG_SZ /d “Your system has been tested for security and
unfortunately your system was vulnerable. We specialize in file encryption and
industrial (economic or corporate) espionage. We don’t care about your files or
what you do, nothing personal – it’s just business. We recommend contacting us
as your confidential files have been stolen and will be sold to interested
parties unless you pay to remove them from our clouds and auction, or decrypt
your files. Follow the instructions in your system” /f reg add
“HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t
REG_DWORD /d 0 /f reg add
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD
/d 0 /f reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f


RANSOM NOTE

Before encryption, the ransom note is created in every directory except the
Program Files and the Windows directory, which aren’t encrypted. We can see that
they have moved the naming convention of ransom notes from
‘Restore-My-Files.txt’ to a static string format “zbzdbs59d.README.txt”.



Fig. 6 – Ransom Note

The ransom note contains instructions to install the TOR browser, links for a
chat, and the personal ID unique to the victim to communicate with the
attackers. It also includes the threat message to leak the stolen data if the
ransom amount is not paid and ends with the warnings as usual. Multiple TOR
mirrors for their leak site can be seen in the ransom note, which is used to
reduce redundancy.


FILE ENCRYPTION

Before starting file encryption, a registry key for DefaultIcon is created to
associate an icon to all the encrypted files. Along with this ICO file
(zbzdbs59d.ico), a BMP file is also dropped in the C:\ProgramData directory.
Files are encrypted by creating multiple threads where each filename is replaced
with a random string generated and appending the extension to them. With full
encryption completed under 2 minutes it still has the fastest encryption process
since LockBit 2.0.



Fig. 7 – Encrypted Filenames


CHANGING WALLPAPER

Finally, the desktop background (different from 2.0 variant) of the victim
machine is changed with the systemparametersinfoW win32 API, and displays
LockBit Black, and instructions to be followed for decryption.



Fig. 8 – Modified Wallpaper


CONCLUSION

Unprotected systems in the network were brute-forced to run the PSEXEC tool for
lateral movement across the systems. This was done to execute LockBit’s latest
Black ransomware variant. With LockBit 3.0 introducing its bug bounty program
and adopting new extortion tactics, it is mandatory to take precautions like
downloading applications only from trusted sources, using antivirus for enhanced
protection, and avoiding clicking on any links received through email or social
media platforms. As threat actors create their own variants from the leaked
LockBit Black’s builder, proactive measures must be taken to stay protected.


IOCS

MD5 Protection 7E37F198C71A81AF5384C480520EE36E Ransom.Lockbit3.S28401281



HEUR:Ransom.Win32.InP


IPS

3.220.57.224

72.26.218.86

71.6.232.6

172.16.116.149

78.153.199.241

72.26.218.86

5.233.194.222

27.147.155.27

192.168.10.54

87.251.67.65

71.6.232.6

64.62.197.182

43.241.25.6

31.43.185.9

194.26.29.113

Jumpsecuritybusiness[.]com

SUBJECT MATTER EXPERTS

 * Tejaswini Sandapolla
 * Umar Khan A
 * Parag Patil
 * Sathwik Ram Prakki



 Previous PostCalling from the Underground: An alternative way to penetrate
cor...
Next Post  Expiro: Old Virus Resurfaces to Cast New Challenge

About Sathwik Ram Prakki



Sathwik Ram Prakki is working as a Security Researcher in Security Labs at Quick
Heal. His focus areas are Threat Intelligence, Threat Hunting, and writing
about...

Articles by Sathwik Ram Prakki »


RELATED POSTS


 * SEQRITE EPS ACCREDITED WITH “ADVANCED APPROVED ENDPOINT PROTECTION” FOR
   PROTECTION AGAINST COMPLEX RANSOMWARE ATTACKS
   
   January 3, 2022


 * TOP 6 CYBERSECURITY THREATS THAT EVERY STARTUP OR BUSINESS SHOULD HAVE TO BE
   READY TO FIGHT IN CURRENT TIMES
   
   December 3, 2021


 * ANYDESK SOFTWARE EXPLOITED TO SPREAD BABUK RANSOMWARE
   
   November 24, 2021


NO COMMENTS

LEAVE A REPLY.YOUR EMAIL ADDRESS WILL NOT BE PUBLISHED.
CANCEL REPLY

Name *

Email *

Leave this field empty



CAPTCHA Code

Comments *



SEARCH
Popular Posts
 * Benefits of having Intrusion Prevention/Detection System in your enterprise
   February 15, 2018
   
 * 5 Security measures you should take to protect your organization’s network
   August 11, 2017
   
 * Uncovering LockBit Black’s Attack Chain and Anti-forensic activity February
   1, 2023
   

Featured Authors
 * Seqrite
   
   Follow us for the latest updates and insights related to security for...
   
   Read more..
 * Sanjay Katkar
   
   Sanjay Katkar is the Joint Managing Director and Chief Technology Officer
   of...
   
   Read more..
 * Jayesh Kulkarni
   
   Jayesh is working as a Security Researcher for a couple of years. He likes
   to...
   
   Read more..

Stay Updated!
Email*

Topics
apt (11) Cyber-attack (32) cyber-attacks (56) cyberattack (11) cyberattacks (12)
Cybersecurity (301) cyber security (26) Cyber threat (29) cyber threats (44)
Data (11) data breach (50) data breaches (27) data loss (28) data loss
prevention (33) data protection (21) data security (13) DLP (49) Encryption (16)
endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall
(11) hackers (11) IoT (10) malware (64) malware attack (23) malware attacks (12)
MDM (25) Microsoft (14) Network security (18) Patch Management (12) phishing
(18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware
protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS
(33) Seqrite Services (16) UTM (34) Vulnerability (15) windows (11)
Products
 * Seqrite MSSP Portal
 * HawkkScan
 * HawkkProtect
 * HawkkHunt XDR
 * HawkkEye
 * HawkkEye Endpoint Security Cloud
 * HawkkEye mSuite
 * HawkkEye Workspace
 * Endpoint Security (EPS)
 * Unified Threat Management
 * Antivirus for Server
 * Antivirus for Linux

Resources
 * White Papers
 * Datasheets
 * Threat Reports
 * Manuals
 * Case Studies

About Us
 * Company Overview
 * Leadership
 * Why choose SEQRITE?
 * Awards & Certifications
 * Newsroom

Archives
 * By Date
 * By Category

Email*

 * 
 * 
 * 
 * 
 * 
 * 



© 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies



Our website uses cookies. Cookies enable us to provide the best experience
possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy. Close

Stay Updated!
Subscribe to our blog and get regular cybersecurity updates delivered to your
inbox.
Email*