Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MOTW. Show all posts

New MOTW Bypass Method Introduced by LockBit

 


Despite being on the winning side of the race, LockBit operators continue to exfiltrate data from high-profile organizations and add the names of those organizations to its leak site. It's well known that the tactics and techniques employed by the gang are one of the significant factors contributing to the murders of innocent individuals. In the context of evasion tradecrafts, researchers have come across one such technique. 

When a .img container is used to deliver an image, the protection mechanism used by the Mark of the Web (MOTW) has been bypassed. As a result, it is possible to bypass traditional signature-based detection by deploying scripts that extract a password-protected executable from a compressed archive that can only be unpacked when a specific password is provided. 

Revolutionary Techniques: What are They? 

In a campaign conducted between December and January of this year, Fortinet researchers observed that LockBit operators were using evasion techniques to conceal their identities.

  • An image file mounted as part of the attack campaign contains malware files, one of which is visible to the user and the others are hidden. Therefore, attackers can evade MOTW's protection mechanism by sending the attack through a .img file container.  
  • It is after the user opens the single visible file that a set of BAT scripts are downloaded. These scripts check whether the targeted system is at the proper privilege level. 
  • The Python embed package of the official Python distribution is also sometimes used to execute Python scripts in some cases. Some scripts are used to change the password and settings of the system without the user being aware of them. 
  • There is also a BAT script in the final payload of LockBit ransomware, which will be executed by the ransomware's password-protected archive. 
The Exploitation Strategy of LockBit 

  • LockBit 3.0, released by the LockBit operators in June 2022, caught the attention of researchers as they added enhanced anti-analysis features and evasion improvements as well. In these regards, it exhibited similarities to BlackMatter ransomware in that it packaged code into byte strings, created function trampolines, and resolved function addresses dynamically, which are techniques that have been used to execute the malware. 
  • There was a slight setback suffered by operators towards the end of September 2022 when disgruntled developers allegedly leaked the source code of LockBit 3.0 to the media. There was, however, no adverse effect on the attackers as LockBit Green was upgraded in February, bringing an upgrade to the threat landscape. 
  • This updated version of ransomware draws on the code that was used in Conti ransomware and uses reverse engineering analysis to develop it. 
  • The LockBit Green variant has recently been released by the LockBit team and is believed to have targeted at least five victims so far. 
A few examples of successful ransomware attacks using LockBit have been reported in the second and third quarters of 2022. LockBit remains one of the most active ransomware families in RaaS and extortion attacks. Depending on the leak sites, LockBit tallied records for 436 victim organizations between April and September based on data gathered from the leak sites. 

Exfiltrator-22 or EX-22 has been developed by a group of former LockBit affiliates and members known as a new framework that aims at defending against post-exploitation attacks. The framework has been created by utilizing the source code from other famous post-exploitation frameworks that have been leaked out. 

The EX-22 ransomware family is designed to spread ransomware across corporate networks, using a framework-as-a-service model for post-exploitation without being detected by the victim. 

There are a variety of industries that have been targeted by LockBit ransomware, such as a variety of critical infrastructure industries, in recent years. The threat actors will continue to use obscure methodologies to avoid detection as long as new variants are released with additional capabilities, experts claim.