# Can You See It Now? An Emerging LockBit Campaign **[fortinet.com/blog/threat-research/emerging-lockbit-campaign](https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign)** February 28, 2023 FortiGuard Labs has observed a new LockBit ransomware campaign during last December and January using a combination of techniques effective against AV and EDR solutions. LockBit has been one of the more dangerous ransomware, active since 2019. It was part of several successful attacks against a large variety of industries, including critical infrastructure. This blog post discusses the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign. ## Overview Descriptions of the attack refer to the stages outlined in Figure 1 below. The attack starts with a .img container (1) and a social engineering technique of displaying a single file once it’s mounted while hiding the rest of its files from the user. It can also cause malware analysts to miss the payloads while examining the samples manually. ----- Figure 1: Campaign execution stages The user is then prompted to open the single visible shortcut (2) file. FIgure 2: Contents of the .img file, including the hidden files In some of the cases that we’ve observed, a python script is executed (2.1) using the official Python embed package. The only purpose of the script is to run the subsequent BAT scripts. [Some variants used a known UAC bypass method abusing the legitimate fodhelper.exe (3.1).](https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses) This enables the attacker’s BAT file to run in a new elevated process without the user’s approval. Figure 3: UAC bypass implementation. The BAT script (4) does several things: 1. Changes the password of the logged-in user. 2. Copies its files to C:\ProgramData. 3. Ensures that after the system reboots, it logs in without user interaction (using SysInternals Autologon). 4. Tries to a. Set the next reboot to be in Safe Mode using bcdedit.exe. b. Register a new service that will run its VBS script (4.1) using sc.exe. c. Sets the service to run also in Safe-Mode using reg.exe. 5. If it fails, it sets in the registry a BAT file (4.2) to be run on logon as another UI shell by Winlogon. 6. Reboots the machine. Figure 4: Persistence of the BAT file (4.2). The ransomware executable resides within a password-protected archive. The script that runs after boot executes another BAT script (4.3) to extract the ransomware payload. It uses the 7-zip archiver and then runs it with a ‘-pass’ argument that is needed for the malicious executable to unpack itself. Figure 5: Command inside BAT script (4.3) decrypting and running the ransomware [The final payload is LockBit. Analysts from TrendMicro have published an analysis of the](https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html) ransomware. Targeting focuses on Spanish-speaking victims – all samples target Mexican or Spanish firms, mainly in the consulting and law sectors. ----- **Ransomware note:** _Your data are stolen and encrypted_ _The data will be published on TOR website if you do not pay the ransom_ _You can contact us and decrypt one file for free on this TOR site_ _(you should download and install TOR browser first https://torproject.org)_ _http://_ _Your company id for log in: _ ## Evasive Tradecraft The detection rate of the samples in VirusTotal was a minimal single digit, with some completely undetected, suggesting the campaign’s methods are effective in defense evasion. Figure 6: Detection in VirusTotal of one of the .img files. Delivery through a .img container bypasses the Mark of The Web (MOTW) protection mechanism. Multi-stage scripts that extract a password-protected ransomware executable, which is unpacked only when run with a unique password, allow evading traditional signature-based detection. The malware authors have shown a creative and wide-ranging usage of signed, legitimate executables: the mounting of .img files by Windows Explorer, python execution by a signed interpreter, the extraction of encrypted archives by 7-zip, and automatic log-in using Sysinternals’ Autologon. This allows for minimal reliance on custom code, trimming development costs, and staying under the radar of EDRs. ## Summary This campaign’s highly evasive nature demonstrates that attackers continue to leverage increasingly obscure methodologies to avoid detection. This unique combination of executables wasn’t seen in previous LockBit attacks. [These payloads may be related to the LockBit builder leak in late 2022. Hence, a definitive](https://www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer) attribution to the original group behind LockBit, or its affiliates, may be difficult. Other cybercriminals would want to associate themselves with the deterrence already afforded by past acts of LockBit. ### Fortinet Solutions ----- FortiEDR detects and blocks these threats out of the box without any prior knowledge or special configuration. It does this using its post-execution prevention engine to identify malicious activities: Figure 7: FortiEDR blocking the ransomware. All network IOCs have been added to the FortiGuard WebFilter blocklist. FortiGuard Antivirus has coverage in place as follows: W32/Lockbit.K!tr.ransom The FortiGuard Antivirus service engine is included in Fortinet’s FortiGate, FortiMail, FortiClient, and FortiEDR solutions. [In addition, as part of our membership in the Cyber Threat Alliance, details of this threat were](https://www.fortiguard.com/cta) shared in real-time with other Alliance members to help create better protections for customers. Learn more about Fortinet’s [FortiGuard Labs threat research and intelligence organization and](https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_medium=blog&utm_campaign=fglabs) [the FortiGuard AI-powered security services portfolio. If you think this or any other cybersecurity](https://www.fortinet.com/solutions/enterprise-midsize-business/security-as-a-service/fortiguard-subscriptions?utm_source=blog&utm_medium=blog&utm_campaign=services) [threat has impacted your organization, contact our Global FortiGuard Incident Response Team.](https://www.fortinet.com/corporate/about-us/contact-us/experienced-a-breach) ## Appendix A: MITRE ATT&CK Tactics and Techniques **Tactic \ Technique ID** **Description** **TA0002** **Execution** T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.005 Command and Scripting Interpreter: Visual Basic T1059.006 Command and Scripting Interpreter: Python T1204.002 User Execution: Malicious File **TA0003** **Persistence** T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL T1053.005 Scheduled Task/Job: Scheduled Task ----- T1543.003 Create or Modify System Process: Windows Service **TA0005** **Defense Evasion** T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control T1027.002 Obfuscated Files or Information: Software Packing T1562.009 Impair Defenses: Safe Mode Boot **TA0040** **Impact** T1486 Data Encrypted for Impact T1529 System Shutdown/Reboot ## APPENDIX B: IoCs **IMG SHA256** 1ef3ae251833be08b6f3e525969ae02c28cb0238e3adb3091e572a10633f7ef7 dad61d9f919a9cc84ae633e948946e7546b21dc4d9d47d19d96fd308c7de40cb d73bcd2e29191b260a26d87c3035bde33163cc319649291db9f04c48c94da896 ee2b182a56ded459a113513985ff624631a9515c7efa2282708483ace640eb3a dca325a0028dc8e41dcf739cd00701a19066fc88c0d22be5316f7a4b7b219fe8 35bf036bf46fa21f3354d60a2c50d2959e1e9193bec8364575dc3fd4644732ae 781ead305cdb5fa0153369431dedd40fe138308fcdf5dfda1cfeaaba296752e3 1ef3ae251833be08b6f3e525969ae02c28cb0238e3adb3091e572a10633f7ef7 dad61d9f919a9cc84ae633e948946e7546b21dc4d9d47d19d96fd308c7de40cb d73bcd2e29191b260a26d87c3035bde33163cc319649291db9f04c48c94da896 ee2b182a56ded459a113513985ff624631a9515c7efa2282708483ace640eb3a dca325a0028dc8e41dcf739cd00701a19066fc88c0d22be5316f7a4b7b219fe8 35bf036bf46fa21f3354d60a2c50d2959e1e9193bec8364575dc3fd4644732ae 781ead305cdb5fa0153369431dedd40fe138308fcdf5dfda1cfeaaba296752e3 1858a862390adcaa4cea6782e7dba077697475ff9ada9d75c4897ccd563998af **Ransomware Executables** ----- SHA256 Name cb049c6e59106bbdfd804a9d02bb31ea09a3918018cbb97fb12d2bcf9e475465 documentos.exe 334148a7434f4fd27dcc6600edc2f29e4f11ada0be9f71f807cbd4154abd74be documentos.exe fd3577ff36496320485ffa05681ffa516a56fc4818c3fc89774aa4bb20e2c17f documentos.exe 8465c979990e75262d15e93453287d6107f008035d6d6a05bd3a92c2e3fe1d40 HacAK.exe 40828437094a02ab467a0c0343d08c110d3b0c2972b609bcdd355667614209f EMJgp.exe 50f49ac742a127085e0a824bcae7e25326ea0ef0741f0abe34ce494f2c4ef4d2 byhHI.exe cc58dcd32a440e7f95d19b653a55c1e2c383efc2bd19443238dd3008c1cbe147 bOpDX.exe 6eb6431dcfb1e7105fb05e2d8b01e231f6d4b82a1df3639499d0adacd00757cc gVozH.exe **Domains** poliovocalist[.]com **IPs** 198.244.187[.]248 150.129.218[.]231 **LockBit Portal URLs** hxxp://lockbit3jx6je7tm6hhm6zzafgy6hpil3ur6jmc2a4ugan7xzztv6oqd[.]onion hxxp://lockbitdvbpfczc3yrs37kpp6avnrgr7yygi2f45qxvef2yqi36lpxyd[.]onion hxxp://lockbit3hc6syym13ki2ag5jskr6q5qa3spspjpmtfhh6fufut737zid[.]onion hxxp://lockbitov3afmxgknfhk2o5d4uqrhygd7ty3xqm56qd6zjlu6u43pgyd[.]onion -----