LockBit ransomware is making a comeback through a new wave of attacks, this time employing Word files as its distribution method.
A recent investigation from the AhnLab Security Intelligence Center (ASEC) points to a concerning trend where the ransomware is camouflaging itself within seemingly innocuous resumes, a tactic reminiscent of its previous modes of operation.
The modus operandi involves the use of external URLs embedded in Word files. This distribution technique was first identified in 2022, marking a continued evolution in LockBit’s tactics.
The recently discovered Word files, posing as resumes, contain an external link within the internal file \word_rels\settings.xml.rels. Upon execution of the Word file, a document file with additional malicious macro code is downloaded from the external URL.
Notably, the file properties closely resemble those of previously distributed documents, indicating the potential reuse of past materials. The inclusion of images within the file serves as a visual prompt, urging users to activate a malicious VBA macro. Once initiated, the VBA macro from the downloaded document file executes, revealing the identified external URLs as follows:
- hxxps://viviendas8[.]com/bb/qhrx1h.dotm
- hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
- hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm
The embedded macro code, obfuscated similarly to cases identified in 2022, ultimately triggers PowerShell to download and execute the LockBit ransomware.
The identified download URLs for LockBit 3.0 ransomware are:
- hxxps://learndash.825testsites[.]com/b/abc.exe
- hxxps://viviendas8[.]com/bb/abc.exe
- hxxps://neverlandserver.nn[.]pe/b/abc.exe
Upon execution of the downloaded LockBit 3.0 ransomware, it encrypts files on the victim’s PC, rendering them inaccessible.
Researchers advise exercising heightened caution, as the attackers are not solely relying on LockBit ransomware. Various other malware strains are also being disseminated under the guise of resumes.
The ransomware group targeted multiple countries in the past including US and India. LockBit has also been known to target large organisations such as SpaceX and Apple. The group has also diversified its attack victims by targeting financial firms and critical infrastructure.
In the News: Thousands of companies are sending users’ data to Meta: Research