Skip to content

LockBit ransomware strikes via malicious Word resumes

  • by
  • 2 min read

LockBit ransomware is making a comeback through a new wave of attacks, this time employing Word files as its distribution method.

A recent investigation from the AhnLab Security Intelligence Center (ASEC) points to a concerning trend where the ransomware is camouflaging itself within seemingly innocuous resumes, a tactic reminiscent of its previous modes of operation.

The modus operandi involves the use of external URLs embedded in Word files. This distribution technique was first identified in 2022, marking a continued evolution in LockBit’s tactics.

The recently discovered Word files, posing as resumes, contain an external link within the internal file \word_rels\settings.xml.rels. Upon execution of the Word file, a document file with additional malicious macro code is downloaded from the external URL.

Notably, the file properties closely resemble those of previously distributed documents, indicating the potential reuse of past materials. The inclusion of images within the file serves as a visual prompt, urging users to activate a malicious VBA macro. Once initiated, the VBA macro from the downloaded document file executes, revealing the identified external URLs as follows:

  • hxxps://viviendas8[.]com/bb/qhrx1h.dotm
  • hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
  • hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

The embedded macro code, obfuscated similarly to cases identified in 2022, ultimately triggers PowerShell to download and execute the LockBit ransomware.

A sample of the malicious Word resume file. | Source: ASEC

The identified download URLs for LockBit 3.0 ransomware are:

  • hxxps://learndash.825testsites[.]com/b/abc.exe
  • hxxps://viviendas8[.]com/bb/abc.exe
  • hxxps://neverlandserver.nn[.]pe/b/abc.exe

Upon execution of the downloaded LockBit 3.0 ransomware, it encrypts files on the victim’s PC, rendering them inaccessible.

Researchers advise exercising heightened caution, as the attackers are not solely relying on LockBit ransomware. Various other malware strains are also being disseminated under the guise of resumes.

The ransomware group targeted multiple countries in the past including US and India. LockBit has also been known to target large organisations such as SpaceX and Apple. The group has also diversified its attack victims by targeting financial firms and critical infrastructure.

In the News: Thousands of companies are sending users’ data to Meta: Research

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>