Researchers at SentinelLabs discovered new behaviors from the LockBit Ransomware-as-a-Service (RaaS) operators, or possibly an affiliate. The attack involves the legitimate VMware utility ‘VmwareXferlogs.exe’ which is susceptible to DLL side-loading. While this utility is legitimate and can exist alongside installed VMware products, the researchers observed the threat actors downloading a copy of the legitimate executable, as well as the malicious DLL to be side-loaded, and a ‘.log’ file containing an encrypted Cobalt Strike Beacon Reflective Loader to the victim host. Side-loading is a technique used to hijack a DLL by tricking a benign process into loading a malicious DLL instead of the original DLL. In this instance, the malicious DLL contains all of the same function names that ‘ VmwareXferlogs.exe’ requests from it, however, the contents are replaced so they all simply exit the process, with the exception of ‘g_path_get_basename’. This function invokes the malicious payload and exits after execution.
This particular variant employs a number of detection evasion techniques including:
- Debugger checking
- EDR/EPP Bypass
- Event Tracing for Windows (ETW) Bypass
- Antimalware Scan Interface (AMSI) Bypass
Finally, once these evasion methods are completed successfully, the malware enters the final phase of execution. During this phase the RC4 encrypted Cobalt Strike Beacon Reflective Loader inside the ‘.log’ file is decrypted with a hardcoded 136-byte key and loaded directly into memory, completing the attack chain.
SentinelLabs researchers also discovered several variations of this type of side-loading technique. In some cases, a ‘vmtools.ini’ file was used to contain the encrypted payload instead of a ‘.log’ file. In other cases, the ‘vmtools.ini’ file is used, but is packed with a custom version of the UPX packer.
Security researchers at vxunderground announced on Twitter that they have evidence that indicates that this variation of the LockBit ransomware was created by an affiliate group rather than the LockBit developers themselves. SentinelLabs has updated their original article to say that they have identified a connection between these variants of LockBit and the group that Microsoft tracks as DEV-0401, which signifies a shift in DEV-0401’s previous tactics, techniques, and procedures (TTP).
Threat Intel attribution question:
If the RaaS developer does not implement the functionality described in the paper (see first image below), can it be attributed to Lockbit ransomware group? Or should it attributed to the unknown affiliate? (see second image below) pic.twitter.com/kVTeNULNCj
— vx-underground (@vxunderground) April 28, 2022