Back in Black: Unlocking a LockBit 3.0 Ransomware Attack 

Authored by: Ross Inman (@rdi_x64)

Summary

tl;dr

This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.

Below provides a summary of findings which are presented in this blog post:

  • Initial access via SocGholish.
  • Establishing persistence to run Cobalt Strike beacon.
  • Disabling of Windows Defender and Sophos.
  • Use of information gathering tools such as Bloodhound and Seatbelt.
  • Lateral movement leveraging RDP and Cobalt Strike.
  • Use of 7zip to collect data for exfiltration.
  • Cobalt Strike use for Command and Control. 
  • Exfiltration of data to Mega.
  • Use of PsExec to push out ransomware.

LockBit 3.0

LockBit 3.0 aka “LockBit Black”, noted in June of this year has coincided with a large increase of victims being published to the LockBit leak site, indicating that the past few months has heralded a period of intense activity for the LockBit collective.

In the wake of the apparent implosion of previous prolific ransomware group CONTI [1], it seems that the LockBit operators are looking to fill the void; presenting a continued risk of encryption and data exfiltration to organizations around the world.

TTPs

Initial Access

Initial access into the network was gained via a download of a malware-laced zip file containing SocGholish. Once executed, the download of a Cobalt Strike beacon was initiated which was created in the folder C:\ProgramData\VGAuthService with the filename VGAuthService.dll. Along with this, the Windows command-line utility rundll32.exe is copied to the folder and renamed to VGAuthService.exe and used to execute the Cobalt Strike DLL.

PowerShell commands were also executed by the SocGholish malware to gather system and domain information:

  • powershell /c nltest /dclist: ; nltest /domain_trusts ; cmdkey /list ; net group 'Domain Admins' /domain ; net group 'Enterprise Admins' /domain ; net localgroup Administrators /domain ; net localgroup Administrators ;
  • powershell /c Get-WmiObject win32_service -ComputerName localhost | Where-Object {$_.PathName -notmatch 'c:\\win'} | select Name, DisplayName, State, PathName | findstr 'Running' 

Persistence

A persistence mechanism was installed by SocGholish using the startup folder of the infected user to ensure execution at user logon. The shortcut file C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VGAuthService.lnk was created and configured to execute the following command which will run the Cobalt Strike beacon deployed to the host:

C:\ProgramData\VGAuthService\VGAuthService.exe C:\ProgramData\VGAuthService\VGAuthService.dll,DllRegisterServer

Defence Evasion

Deployment of a batch script named 123.bat was observed on multiple hosts and was deployed via PsExec. The script possessed the capabilities to uninstall Sophos, disable Windows Defender and terminate running services where the service name contained specific strings. The contents of the batch script are provided below:

Figure1: 123.bat contents

The ransomware binary used also clears key Windows event log files including Application, System and Security. It also prevents any further events from being written by targeting the EventLog service.

Discovery

Bloodhound was executed days after the initial SocGholish infection on the patient zero host. The output file was created in the C:\ProgramData\ directory and had the file extension .bac instead of the usual .zip, however this file was still a zip archive.  

A TGS ticket for a single account was observed on patient zero in a text file under C:\ProgramData\. It appears the threat actor was gathering TGS tickets for SPNs associated with the compromised user.

Seatbelt [2] was also executed on the patient zero host alongside Bloodhound. Security-orientated information about the host gathered by Seatbelt was outputted to the file C:\ProgramData\seat.txt.

Lateral Movement

The following methods were utilized to move laterally throughout the victim network:

  • Cobalt Strike remotely installed temporary services on targeted hosts which executed a Cobalt Strike beacon. An example command line of what the services were configured to run is provided below:

    rundll32.exe c:\programdata\svchost1.dll,DllRegisterServer
  • RDP sessions were established using a high privileged account the threat actor had compromised prior.

Collection

7zip was deployed by the adversary to compress and stage data from folders of interest which had been browsed during RDP sessions.

Command and Control

Cobalt Strike was the primary C2 framework utilized by the threat actor to maintain their presence on the estate as well as laterally move.

Exfiltration Using MegaSync

Before deploying the ransomware to the network, the threat actor began to exfiltrate data to Mega, a cloud storage provider. This was achieved by downloading Mega sync software onto compromised hosts, allowing for direct upload of data to Mega.

Impact

The ransomware was pushed out to the endpoints using PsExec and impacted both servers and end-user devices. The ransomware executable was named zzz.exe and was located in the following folders:

  • C:\Windows\
  • C:\ProgramData\
  • C:\Users\<user>\Desktop\

Recommendations

  1. Ensure that both online and offline backups are taken and test the backup plan regularly to identify any weak points that could be exploited by an adversary.
  2. Restrict internal RDP and SMB traffic so that only hosts that are required to communicate via these protocols are allowed to.   
  3. Monitor firewalls for anomalous spikes in data leaving the network.
  4. Block traffic to cloud storage services such as Mega which have no legitimate use in a corporate environment.
  5. Provide regular security awareness training.

If you have been impacted by LockBit, or currently have an incident and would like support, please contact our Cyber Incident Response Team on +44 161 209 5148 or email cirt@nccgroup.com.

Indicators of Compromise

IOC ValueIndicator TypeDescription
orangebronze[.]comDomainCobalt Strike C2 server
194.26.29[.]13IP AddressCobalt Strike C2 server
C:\ProgramData\svchost1.dll C:\ProgramData\conhost.dll C:\ProgramData\svchost.dllFile PathCobalt Strike beacons
C:\ProgramData\VGAuthService\VGAuthService.dllFile PathCobalt Strike beacon deployed by SocGholish
C:\Windows\zzz.exe C:\ProgramData\zzz.exe C:\Users\<user>\Desktop\zzz.exeFile PathRansomware Executable
c:\users\<user>\appdata\local\megasync\megasync.exeFile PathMega sync software
C:\ProgramData\PsExec.exeFile PathPsExec
C:\ProgramData\123.batFile PathBatch script to tamper with security software and services
D826A846CB7D8DE539F47691FE2234F0FC6B4FA0SHA1 HashC:\ProgramData\123.bat
Figure 2: Indicators of Compromise

MITRE ATT&CK®

TacticTechniqueIDDescription
Initial AccessDrive-by CompromiseT1189Initial access was gained via infection of SocGholish malware caused by a drive-by-download
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003A batch script was utilized to execute malicious commands
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001PowerShell was utilized to execute malicious commands
ExecutionSystem Services: Service ExecutionT1569.002Cobalt Strike remotely created services to execute its payload
ExecutionSystem Services: Service ExecutionT1569.002PsExec creates a service to perform it’s execution
PersistenceBoot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001SocGholish established persistence through a startup folder 
Defence EvasionImpair Defenses: Disable or Modify ToolsT1562.001123.bat disabled and uninstalled Anti-Virus software
Defence EvasionIndicator Removal on Host: Clear Windows Event LogsT1070.001The ransomware executable cleared Windows event log files
DiscoveryDomain Trust DiscoveryT1482The threat actor executed Bloodhound to map out the AD environment
DiscoveryDomain Trust DiscoveryT1482A TGS ticket for a single account was observed in a text file created by the threat actor
DiscoverySystem Information DiscoveryT1082Seatbelt was ran to gather information on patient zero
Lateral MovementSMB/Admin Windows SharesT1021.002Cobalt Strike targeted SMB shares for lateral movement
Lateral MovementRemote Services: Remote Desktop ProtocolT1021.001RDP was used to establish sessions to other hosts on the network
CollectionArchive Collected Data: Archive via UtilityT1560.0017zip was utilized to create archives containing data from folders of interest
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001Cobalt Strike communicated with its C2 over HTTPS
ExfiltrationExfiltration Over Web Service: Exfiltration to Cloud StorageT1567.002The threat actor exfiltrated data to Mega cloud storage
ImpactData Encrypted for ImpactT1486Ransomware was deployed to the estate and impacted both servers and end-user devices
  1. https://www.bleepingcomputer.com/news/security/conti-ransomware-finally-shuts-down-data-leak-negotiation-sites/
  2. https://github.com/GhostPack/Seatbelt