Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes

by Prapattimynk, Wednesday, 8 November 2023 (4 months ago)
Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes


The distribution method involving the impersonation of resumes is one of the main methods used by the LockBit ransomware. Information related to this has been shared through the ASEC Blog in February of this year. [1] In contrast to the past where only the LockBit ransomware was distributed, it has been confirmed that an Infostealer is also being included in recent distributions. [2] (This link is only available in Korean.)

Figure 1. Content of email disguised as a resume
Figure 2. Attachment containing malware

‘Resume16.egg’ holds the LockBit ransomware disguised as a PDF file (left) and the Vidar Infostealer disguised as a PPT file (right).

Figure 3. Executables within the compressed file

The executed ransomware is LockBit 3.0, which encrypts files on the user’s PC environment, excluding PE files.

Figure 4. LockBit 3.0 infection screen
Figure 5. LockBit 3.0 ransom note

The Vidar Infostealer, which is distributed alongside the LockBit ransomware, connects to a Telegram website before engaging in C2 communication. The website is the Telegram channel called “twowheelfun”. It uses a certain string mentioned on the page as the C2 server address. This method can often be observed from the Vidar Infostealer, and it allows bypassing network detection by periodically changing C2 servers.

Figure 6. Vidar C2 server

Following this, it connects to the actual C2 server to download the necessary DLL files for performing malicious activities and tranfers the exfiltrated information to the C2 server.

Figure 7. Downloading related DLL files
Figure 8. C2 response setting data

Malware disguised as resumes target corporations and are distributed along with not only the LockBit ransomware but an Infostealer as well. Therefore, companies must update their anti-malware software to the latest versions, and users must take extra caution. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
Trojan/Win.Generic.R613812

[Behavior Detection]
Ransom/MDP.Event.M4353
Win-Trojan/MalPeP.mexp

[IOC Info]
0d4967353b6e48ab671aed24899827aa
92350da914ba55c3137c9a8a585f7750
hxxp://128.140.96[.]230

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.