LockBit 3.0 Malware Using Weaponized Word Doc To Drop Ransomware Via Amadey Bot

The Amadey Bot has been found to be used by attackers to install LockBit 3.0 with the help of malicious MS Word document files, eventually dropping the ransomware strain.

In the year 2018, Amadey Bot was discovered that spread across the Internet. In addition to stealing information, this malware is capable of installing additional malware onto the targeted systems. 

As part of these executions, commands were received from the attacker in order to carry out the actions. A variety of attackers are still using this malware strain, just like other malware strains, that are being sold on illegal forums and continue to spread.

SIEM as a Service

LockBit 3.0

Phishing emails masquerading as job application offers or notices of copyright breach are used by the threat actor to target victim companies.

A PowerShell script or executable file is downloaded as part of the LockBit 3.0 payload in this attack. Once done, then on the host threat actors run them together to encrypt files, Researchers at Ahnlab said.

In the beginning, the Powershell files are obscured, and then after being unobfuscated in memory, the files are structured to be executed. Since 2022, in Korea, Lockbits have been distributed by threat actors that are downloaded through the Amadey botnet.

It is necessary to use the following command to execute the Powershell form file that is downloaded by the Amadey botnet.

  • > “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1”

It is believed that Lockbit ransomware disables the user’s desktop by wrppaing it, and then it infects the files that are present in the user’s infected desktop environment and notifies the user of the change.

Afterward, a ransom note is created in each folder with the following information:-

Infection chain

There were two different distribution chains identified by the researchers. Here below we have mentioned the twi distribution chains used by threat actors:-

  • Malicious Word File
  • Executable Disguised as Word File

If the user clicks on the “Enable Content” button the macro will be executed, and this is applicable in the first case. Using this method, an LNK file will be created and stored in the following location:-

  • C:\Users\Public\skem.lnk

The file that will be downloaded is the Amadey downloader.

As for the second one, recipients are tricked into double-clicking a file named “Resume.exe” (Amadey) by the use of an icon mimicking a Word document, which appears like an attachment inside an email.

Infections caused by both of these distribution paths use the same C2 address to transmit Amadey. The operator is likely to be the same, so it is valid to assume the same thing.

During the interaction between Amadey and the C&C server, it receives three commands. A variety of malware is being downloaded and executed through the use of these commands.

Considering LockBit ransomware is being spread by a variety of methods, it is important for users to be cautious while downloading any content from unknown sources.

Show Your Zero-Trust Skills – Win the State of Zero-Trust Award – Take a Quiz