LockBit 3.0 Ransomware affiliates acting as a lure with phishing emails to deplo...
Amadey Bot is being used by ransomware affiliates, as validated by our threat research team, to deploy LockBit 3.0. In 2018, hackers uncovered a new malware called Amadey Bot, which could follow commands from its attacker to steal data and install other malware. To this day, it is being utilized by numerous attackers and is being sold on illegal marketplaces with other malware strains.
In the past, it has been used by GandCrab attackers to deploy ransomware and by the notorious TA505 gang, responsible for the [Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware), to deploy FlawedAmmyy. More recently, malware has been spreading while posing as a popular Korean messenger app.
## The Amadey Bot Pretends to Be a Well-Known Korean Instant Messenger Program So That It Can Spread
There are now two attack vectors for distributing Amadey Bot, the malware responsible for installing LockBit: infected Word documents and executables that pretend to be Word files.
### 1. Malicious Word file as a Case of Distribution
_"Sia Sim.docx"_ is a malicious Word document that contains malicious code. The file was sent to VirusTotal. When opened, the external Word file downloads another Word file from the given URL, which includes a malicious VBA macro.
***Figure 1: Reference external URL***
The graphic in the text body serves to prompt the user to choose _"Enable Content"_ so that the VBA macro may run.
***Figure 2: An example of a malicious Word file that activates a macro***
After the user hits _"Enable Content,"_ the malicious LNK file is installed using the VBA macro that was downloaded. The following command creates the LNK file in the `C:\Users\Public\skem.lnk`directory and runs it.
`> rundll32 url.dll,OpenURL
***Figure 3: Saved as a VBA macro***
It's a downloader that launches PowerShell commands to get Amadey installed and running from the LNK file.
***Figure 4: LNK file that was made***
### 2. In-Effect of Executable Concealment as a Word Document
In one instance, the malicious malware was named _"Resume.exe."_ There has been no confirmation of the email used in the assault, but the file was reportedly named _"Resume.exe''_ when it was executed. The compression tool that made it also made it seem like a harmless Word file icon. Based on its features, it is likely that Amadey was spread using a malicious e-mail attachment. An executable retrieved on October 27th, 2022 is up next.
***Figure 5: Pictured here is Amadey Bot pretending to be a simple Word file icon.***
## Amadey Bot
Both of the above Amadeys downloaded from the same URL and spoke with the same C&C server, suggesting that the attacker is using several vectors to spread the malware. If Amadey completes the preceding steps, it makes a copy of itself in the Temp directory, registers with the task scheduler, and stays active even after the computer is rebooted.
`> “c:\windows\system32\schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr` `“c:\users[username]\appdata\local\temp\0d467a63d9\rovwer.exe” /f`
Following that, it connects to the C&C server, provides the infected system's default information, and receives instructions. The capabilities and specifics of Amadey, such as the information stolen by the virus and the information sent from infected computers, were previously disclosed in the blog.
#### [SmokeLoader](https://bit.ly/3OyFMJZ) is Being Used to Disseminate the Amadey Bot.
***Figure 6: C&C Communication Model Used by Amadey***
***Figure 7: Login screen for Amadey***
Each of the three commands sent to Amadey by the C&C server downloads and runs malicious code from the outside source. LockBits come in three different formats: "cc.ps1," "dd.ps1," and "LBB.exe," which is the executable version of LockBit. Each one is generated in a folder with a name that matches one given by the C&C server.
### LockBit 3.0
LockBit is executed once the malware has finished downloading. After being unobfuscated in memory, the powershell files are structured for execution.
***Figure 8: LockBit powershell malware with obfuscation***
If Amadey's downloaded file is a powershell form, the command below is executed.
> “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1”
Since 2022, when Amadey was first released, Lockbits have been widely spread in Korea, and the team behind it has published many studies analyzing ransomware. LockBit 3.0, whose distribution keywords include "job application" and "copyright," has just been verified. Themes suggest that this assault is aimed against businesses.
The desktop is modified as shown below by the [Lockbit ransomware](https://bit.ly/3EFSu6g), which also warns the user and infects files in the user's surroundings. A ransom letter is then placed in each file's directory, claiming that the user's data has been encrypted and stolen and threatening to be made public unless the user pays a ransom.
***Figure 9: LockBit 3.0 ransomware hijacked my desktop and messed things up***
***Figure 10: LockBit 3.0 Encryption Note***
Users should exercise extreme care, since LockBit ransomware is spreading through a number of channels. Users should always have the most recent versions of the programs they use and V3 installed, and they should never open a document file that they received from an unknown source.
## File Detection
– Downloader/DOC.External (2022.10.31.02)
– Downloader/DOC.Generic (2022.10.31.02)
– Trojan/LNK.Runner (2022.10.31.02)
– Malware/Win.Generic.R531852 (2022.10.27.03)
– Trojan/Win.Delf.R452782 (2021.11.24.02)
– Ransomware/Win.LockBit.R506767 (2022.07.27.01)
– Ransomware/PowerShell.Lockbit.S1945 (2022.10.29.00)
## AMSI Detection
– Ransomware/PowerShell.Lockbit.SA1945 (2022.10.29.00)
## Behavioral Detection
## Indicators of Compromise
– 13b12238e3a44bcdf89a7686e7179e16: Malicious Word Document (Sia_Sim.docx)
– ae59e82ddd8d9840b79bfddbe4034462: Downloaded malicious VBA macro (v5sqpe.dotm)
– bf4d4f36c34461c6605b42c456fa4492: Downloader LNK (skeml.lnk)
– 56c9c8f181803ece490087ebe053ef72: Amadey (1234.exe)
– bf331800dbb46bb32a8ac89e4543cafa: Amadey (Resume.exe)
– ad444dcdadfe5ba7901ec58be714cf57: Amadey Stealer Plugin (cred.dll)
– f9ab1c6ad6e788686509d5abedfd1001: LockBit (cc.ps1)
– 1690f558aa93267b8bcd14c1d5b9ce34: LockBit (dd.ps1)
– 5e54923e6dc9508ae25fb6148d5b2e55: LockBit (LBB.exe)
#### C&C and Download
– hxxp://188.34.187[.]110/v5sqpe.dotm: External URL
– hxxp://188.34.187[.]110/1234.exe: Amadey Download URL
– hxxp://62.204.41[.]25/3g4mn5s/index.php : Amadey C&C
– hxxp://62.204.41[.]25/3g4mn5s/Plugins/cred.dll : Amadey Stealer Plugin Download
– hxxp://188.34.187[.]110/dd.ps1 : LockBit
– hxxp://188.34.187[.]110/cc.ps1 : LockBit
– hxxp://188.34.187[.]110/LBB.exe : LockBit