The distribution method involving the impersonation of resumes is one of the main methods used by the LockBit ransomware. Information related to this has been shared through the ASEC Blog in February of this year. [1] In contrast to the past where only the LockBit ransomware was distributed, it has been confirmed that an Infostealer is also being included in recent distributions. [2] (This link is only available in Korean.)
‘Resume16.egg’ holds the LockBit ransomware disguised as a PDF file (left) and the Vidar Infostealer disguised as a PPT file (right).
The executed ransomware is LockBit 3.0, which encrypts files on the user’s PC environment, excluding PE files.
The Vidar Infostealer, which is distributed alongside the LockBit ransomware, connects to a Telegram website before engaging in C2 communication. The website is the Telegram channel called “twowheelfun”. It uses a certain string mentioned on the page as the C2 server address. This method can often be observed from the Vidar Infostealer, and it allows bypassing network detection by periodically changing C2 servers.
Following this, it connects to the actual C2 server to download the necessary DLL files for performing malicious activities and tranfers the exfiltrated information to the C2 server.
Malware disguised as resumes target corporations and are distributed along with not only the LockBit ransomware but an Infostealer as well. Therefore, companies must update their anti-malware software to the latest versions, and users must take extra caution. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
Trojan/Win.Generic.R613812
[Behavior Detection]
Ransom/MDP.Event.M4353
Win-Trojan/MalPeP.mexp
[IOC Info]
0d4967353b6e48ab671aed24899827aa
92350da914ba55c3137c9a8a585f7750
hxxp://128.140.96[.]230
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] recent report from AhnLab sheds light on a concerning evolution in cyber threats, particularly involving the […]
[…] itself as resumes, and recently found malicious Word files were also disguised as resumes [1]. The distribution method of LockBit ransomware using external URLs in Word files was first found in […]
[…] itself as resumes, and recently found malicious Word files were also disguised as resumes [1]. The distribution method of LockBit ransomware using external URLs in Word files was first found in […]