LockBit 3.0 Malware Using Weaponized Word Doc To Drop Ransomware Via Amadey Bot

The Amadey Bot has been found to be used by attackers to install LockBit 3.0 with the help of malicious MS Word document files, eventually dropping the ransomware strain.

In the year 2018, Amadey Bot was discovered that spread across the Internet. In addition to stealing information, this malware is capable of installing additional malware onto the targeted systems. 

As part of these executions, commands were received from the attacker in order to carry out the actions. A variety of attackers are still using this malware strain, just like other malware strains, that are being sold on illegal forums and continue to spread.

LockBit 3.0

Phishing emails masquerading as job application offers or notices of copyright breach are used by the threat actor to target victim companies.

A PowerShell script or executable file is downloaded as part of the LockBit 3.0 payload in this attack. Once done, then on the host threat actors run them together to encrypt files, Researchers at Ahnlab said.

In the beginning, the Powershell files are obscured, and then after being unobfuscated in memory, the files are structured to be executed. Since 2022, in Korea, Lockbits have been distributed by threat actors that are downloaded through the Amadey botnet.

It is necessary to use the following command to execute the Powershell form file that is downloaded by the Amadey botnet.

  • > “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1”

It is believed that Lockbit ransomware disables the user’s desktop by wrppaing it, and then it infects the files that are present in the user’s infected desktop environment and notifies the user of the change.

Afterward, a ransom note is created in each folder with the following information:-

Infection chain

There were two different distribution chains identified by the researchers. Here below we have mentioned the twi distribution chains used by threat actors:-

  • Malicious Word File
  • Executable Disguised as Word File

If the user clicks on the “Enable Content” button the macro will be executed, and this is applicable in the first case. Using this method, an LNK file will be created and stored in the following location:-

  • C:\Users\Public\skem.lnk

The file that will be downloaded is the Amadey downloader.

As for the second one, recipients are tricked into double-clicking a file named “Resume.exe” (Amadey) by the use of an icon mimicking a Word document, which appears like an attachment inside an email.

Infections caused by both of these distribution paths use the same C2 address to transmit Amadey. The operator is likely to be the same, so it is valid to assume the same thing.

During the interaction between Amadey and the C&C server, it receives three commands. A variety of malware is being downloaded and executed through the use of these commands.

Considering LockBit ransomware is being spread by a variety of methods, it is important for users to be cautious while downloading any content from unknown sources.

Show Your Zero-Trust Skills – Win the State of Zero-Trust Award – Take a Quiz

Priya James

Recent Posts

5 Best Technologies to Secure Kubernetes – 2023

Kubernetes security refers to the measures and practices used to protect a Kubernetes cluster and…

3 hours ago

Hackers Actively Exploiting VMware ESXi Servers to Deploy Ransomware

CERT-FR, the French Computer Emergency Response Team (CERT-FR), as well as administrators and hosting providers,…

7 hours ago

75 Best Android Penetration Testing Tools – 2023

Android penetration testing tools are more often used by security industries to test the vulnerabilities…

24 hours ago

High-severity Vulnerability in F5 BIG-IP Let Attackers Execute Arbitrary Code

F5 reports a high-severity format string vulnerability in BIG-IP that might allow an authenticated attacker…

1 day ago

Cloud Computing Penetration Testing Checklist – 2023

Cloud Computing Penetration Testing is a method of actively checking and examining the Cloud system…

2 days ago

50 Best Free Cyber Threat Intelligence Tools – 2023

Threat Intelligence Tools are more often used by security industries to test the vulnerabilities in…

2 days ago