LockBit 3.0 Being Distributed via Amadey Bot

The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers.

It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which is infamous for Clop ransomware. Recently, it was distributed under the disguise of a popular Korean messenger app.

Amadey Bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon.


Distribution Case 1. Malicious Word File

The following is a malicious Word document named “Sia_Sim.docx.” It was uploaded to VirusTotal. As an external Word file, it downloads a Word file that contains a malicious VBA macro from the following URL when run.

Figure 1. External URL

The text body contains an image that prompts the user to click “Enable Content” to enable the VBA macro.

Figure 2. Malicious Word file that prompts the activation of macro

When the user clicks “Enable Content,” the downloaded VBA macro (the one that installs the malicious LNK file) is executed. The LNK file is created in the “C:\Users\Public\skem.lnk” pathway and is executed via the following command.

> rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk

Figure 3. Downloaded VBA macro

The LNK file is a downloader that runs powershell command to download and run Amadey.

Figure 4. Created LNK file


Distribution Case 2. Executable Disguised as Word File

There is also a case where the malware was found as “Resume.exe.” The e-mail used in the attack has not been confirmed yet, but the file was run as “Resume.exe.” It was also disguised as an innocuous Word file icon and created by a compression program. Judging from its characteristics above, it appears that Amadey was installed via an e-mail attachment. Next is an executable collected on October 27, 2022.

Figure 5. Amadey Bot disguised as innocuous Word file icon


Amadey Bot

Given that both Amadeys above used the same C&C server and download URL, it appears that the attacker has been distributing Amadey Bots in two ways. Amadey that is run through the process above copies itself into the Temp directory, registers to the task scheduler and allows it to run even after a reboot.

> “c:\windows\system32\schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr “c:\users[username]\appdata\local\temp\0d467a63d9\rovwer.exe” /f

Afterward, it connects to the C&C server, sends default information of the infected system, and receives commands. The blog previously introduced Amadey’s features and details, including the types of infected PC’s information the malware sends to the C&C server, and info-stealing plugins.

Figure 6. Amadey’s C&C Communication

Figure 7. Amadey’s login page

Amadey receives three commands from the C&C server, and they are all commands that download and execute malware from the external source. “cc.ps1” and “dd.ps1” are LockBits in powershell form, and “LBB.exe” is LockBit in exe form. They are each created in directory names shown in the C&C server’s response, retrospectively.

– %TEMP%\1000018041\dd.ps1
– %TEMP%\1000019041\cc.ps1
– %TEMP%\1000020001\LBB.exe


LockBit 3.0

Once the download is complete, the malware runs LockBit. The powershell files are initially obfuscated, and are structured to be executed after being unobfuscated in the memory.

Figure 8. Obfuscated LockBit powershell malware

If the file Amadey downloaded is a powershell form, the following command is used.

> “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1”

Lockbits that are installed via Amadey have been distributed in Korea since 2022, and the team has posted various articles that analyzed the ransomware. The recently confirmed version is LockBit 3.0 which is distributed using keywords such as job application and copyright. Judging from the themes, it appears that the attack is targeting companies.

Lockbit ransomware infects files that exist in the user’s environment, changes the desktop as seen below, and notifies the user. It then creates a ransom note in each folder, stating that all data in the system has been encrypted and stolen, and threatening the user that the data will be decrypted and leaked on the Internet if they refuse to pay money.

Figure 9. Desktop warped by LockBit 3.0 ransomware infection

Figure 10. Ransom note of LockBit 3.0

As LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.

[File Detection]
– Downloader/DOC.External (2022.10.31.02)
– Downloader/DOC.Generic (2022.10.31.02)
– Trojan/LNK.Runner (2022.10.31.02)
– Malware/Win.Generic.R531852 (2022.10.27.03)
– Trojan/Win.Delf.R452782 (2021.11.24.02)
– Ransomware/Win.LockBit.R506767 (2022.07.27.01)
– Ransomware/PowerShell.Lockbit.S1945 (2022.10.29.00)

[AMSI Detection]
– Ransomware/PowerShell.Lockbit.SA1945 (2022.10.29.00)

[Behavior Detection]
– Ransom/MDP.Decoy.M1171
– Ransom/MDP.Event.M1875
– Ransom/MDP.Behavior.M1946

[IOC]
MD5

– 13b12238e3a44bcdf89a7686e7179e16: Malicious Word Document (Sia_Sim.docx)
– ae59e82ddd8d9840b79bfddbe4034462: Downloaded malicious VBA macro (v5sqpe.dotm)
– bf4d4f36c34461c6605b42c456fa4492: Downloader LNK (skeml.lnk)
– 56c9c8f181803ece490087ebe053ef72: Amadey (1234.exe)
– bf331800dbb46bb32a8ac89e4543cafa: Amadey (Resume.exe)
– ad444dcdadfe5ba7901ec58be714cf57: Amadey Stealer Plugin (cred.dll)
– f9ab1c6ad6e788686509d5abedfd1001: LockBit (cc.ps1)
– 1690f558aa93267b8bcd14c1d5b9ce34: LockBit (dd.ps1)
– 5e54923e6dc9508ae25fb6148d5b2e55: LockBit (LBB.exe)

C&C and Download
– hxxp://188.34.187[.]110/v5sqpe.dotm: External URL
– hxxp://188.34.187[.]110/1234.exe: Amadey Download URL
– hxxp://62.204.41[.]25/3g4mn5s/index.php : Amadey C&C
– hxxp://62.204.41[.]25/3g4mn5s/Plugins/cred.dll : Amadey Stealer Plugin Download
– hxxp://188.34.187[.]110/dd.ps1 : LockBit
– hxxp://188.34.187[.]110/cc.ps1 : LockBit
– hxxp://188.34.187[.]110/LBB.exe : LockBit

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

0 0 votes
Article Rating
guest

84 Comments
Inline Feedbacks
View all comments
trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] keeping with a brand new AhnLab report, the menace actor targets corporations utilizing phishing emails with lures pretending to be job […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] on a brand new AhnLab report, the risk actor targets firms utilizing phishing emails with lures pretending to be job software […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Word file icon,“ AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Phrase file icon,” AhnLab Safety Emergency Response Heart (ASEC) mentioned in a brand new report revealed at […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] AhnLab,已確認攻擊者正在利用 Amadey Bot惡意軟體續進行 […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published […]

trackback

[…] that the attackers had been utilizing the Amadey Bot to put in LockBit. “is studying Report Printed by the safety firm. “Amadey Bot, the malware used to put in LockBit, is distributed […]

trackback

[…] team has confirmed that attackers are using Amadey Bot to install LockBit. ” reads the report published by the security firm. “Amadey Bot, the malware that is used to install LockBit, is […]

trackback

[…] analysis team has confirmed that attackers are using Amadey Bot to install LockBit. ” reads the report published by the security firm. “Amadey Bot, the malware that is used to install LockBit, is […]

trackback

[…] analysis team has confirmed that attackers are using Amadey Bot to install LockBit. ” reads the report published by the security firm. “Amadey Bot, the malware that is used to install LockBit, is […]

trackback

[…] to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job […]

trackback

[…] takes the hide of the Phrase record icon,” AhnLab Safety Emergency Reaction Middle (ASEC) mentioned in a brand new document revealed these […]

trackback

[…] analysis team has confirmed that attackers are using Amadey Bot to install LockBit. ” reads the report published by the security firm. “Amadey Bot, the malware that is used to install LockBit, is […]

trackback

[…] Bot is being propagated by way of two strategies: the usage of a malicious Phrase document and the usage of an executable […]

trackback

[…] to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job […]

trackback

[…] FORRÁS […]

trackback

[…] A PowerShell script or executable file is downloaded as part of the LockBit 3.0 payload in this attack. Once done, then on the host threat actors run them together to encrypt files, Researchers at Ahnlab said. […]

trackback

[…] A PowerShell script or executable file is downloaded as part of the LockBit 3.0 payload in this attack. Once done, then on the host threat actors run them together to encrypt files, Researchers at Ahnlab said. […]

trackback

[…] Skrip PowerShell atau file yang dapat dieksekusi diunduh sebagai bagian dari muatan LockBit 3.0 dalam serangan ini. Setelah selesai, lalu di host, aktor ancaman menjalankannya bersama-sama untuk mengenkripsi file, Peneliti di Ahnlab dikatakan. […]

trackback

[…] LockBit 3.0 Being Distributed via Amadey Bot […]

trackback

[…] takes the disguise of the Word file icon,” AhnLab Security Emergency Response Center (ASEC) said in a new report published today.Amadey, first discovered in 2018, is a “criminal-to-criminal […]

trackback

[…] LockBit 3.0 Being Distributed via Amadey Bot […]

trackback

[…] LockBit 3.0 Being Distributed via Amadey Bot […]

trackback

[…] | アイホン株式会社 ・Report on DDoS attacks in Q3 2022 | Securelist ・LockBit 3.0 Being Distributed via Amadey Bot – ASEC BLOG ・2022年秋のEmotetの復活を総合的に考える | Proofpoint JP […]

trackback

[…] Amadey Bot Being Distributed Through SmokeLoader LockBit 3.0 Being Distributed via Amadey Bot […]