Researchers at SentinelLabs discovered new behaviors from the LockBit Ransomware-as-a-Service (RaaS) operators, or possibly an affiliate. The attack involves the legitimate VMware utility ‘VmwareXferlogs.exe’ which is susceptible to DLL side-loading. While this utility is legitimate and can exist alongside installed VMware products, the researchers observed the threat actors downloading a copy of the legitimate executable, as well as the malicious DLL to be side-loaded, and a ‘.log’ file containing an encrypted Cobalt Strike Beacon Reflective Loader to the victim host. Side-loading is a technique used to hijack a DLL by tricking a benign process into loading a malicious DLL instead of the original DLL. In this instance, the malicious DLL contains all of the same function names that ‘ VmwareXferlogs.exe’ requests from it, however, the contents are replaced so they all simply exit the process, with the exception of ‘g_path_get_basename’. This function invokes the malicious payload and exits after execution.
This particular variant employs a number of detection evasion techniques including:
- Debugger checking
- EDR/EPP Bypass
- Event Tracing for Windows (ETW) Bypass
- Antimalware Scan Interface (AMSI) Bypass
Finally, once these evasion methods are completed successfully, the malware enters the final phase of execution. During this phase the RC4 encrypted Cobalt Strike Beacon Reflective Loader inside the ‘.log’ file is decrypted with a hardcoded 136-byte key and loaded directly into memory, completing the attack chain.
SentinelLabs researchers also discovered several variations of this type of side-loading technique. In some cases, a ‘vmtools.ini’ file was used to contain the encrypted payload instead of a ‘.log’ file. In other cases, the ‘vmtools.ini’ file is used, but is packed with a custom version of the UPX packer.