One of the interesting tricks used by LockBit affiliates is disguising their malware as copyright claims in order to trick users into infecting their devices with ransomware.
There is a copyright violation notice sent through email to these users, apparently containing information that they are using media files without permission from the creators.
It is because of such emails that recipients are urged to remove content that they consider infringing on their websites.
Technical Analysis
Cybersecurity researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly used in the body of the emails.
The recipient should instead be asked to open and download the attached file in order to view the content deemed infringing. The email attachment sent by the threat actors is a ZIP archive and this ZIP archive is password protected.
While this ZIP file contains a compressed file that contains a copy of a PDF document which is actually an NSIS installer that is disguised as a PDF document.
This is done for the purpose of evading detection from email security software, which is why there is mandatory wrapping and password protection.
An encrypted file has an extension called .lockbit and has an icon that indicates its encryption status. Furthermore, the folder with the encrypted files has a ransom note named ‘Restore-My-Files.txt’ created inside of it.
Fake Copyright Claims
It is possible for a victim to view what images are being used illegally by simply opening the document intended to be a PDF attached to the email. If they open it, the malware will be loaded and the LockBit 2.0 ransomware will be used to encrypt the device.
In any case, you need not be surprised by LockBit using copyright violations as a tactic for malware distribution. Since it is a common lure that is used nowadays in several malware distribution campaigns.
Publishers of content should seriously consider this issue of copyright claims if they want to avoid legal issues in the future.
If the notification doesn’t give you any concrete details about the violation or you are required to open attached files in order to view details in the complaint, then it is unlikely that it is a legitimate notice.
Users may run attached files without realizing they have done it, as e-mails distributing malware types like this may contain the name of the actual illustrator, whose work they are viewing. Therefore, users should be very cautious when they are downloading such attachments.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.
