LockBit Operators Using Stealthy DLL Sideloading Technique to Load Malicious App as Legitimate One

LockBit ransomware operators have adopted an increasingly sophisticated approach to evade detection by leveraging DLL sideloading techniques that exploit the inherent trust placed in legitimate applications.

This stealthy method involves tricking legitimate, digitally signed applications into loading malicious Dynamic Link Libraries instead of their intended components, allowing cybercriminals to execute ransomware payloads while masquerading as trusted system processes.

The technique has proven particularly effective because it exploits the Windows DLL search order mechanism, where applications search for required libraries in specific directory sequences.

By strategically placing malicious DLLs with identical names to legitimate ones in directories that are searched before the actual library locations, attackers can hijack the loading process of trusted applications.

This approach bypasses many traditional security measures that rely on application reputation and digital signatures for threat detection.

Recent attack campaigns have demonstrated LockBit’s evolution beyond conventional deployment methods, with threat actors now combining DLL sideloading with extensive masquerading techniques.

Security threat intelligence analysts have identified multiple instances where attackers rename malicious executables to mimic company domain names, further enhancing their ability to blend into legitimate network traffic and avoid detection by security monitoring systems.

The ransomware group has been observed targeting high-value organizations through initial access via remote management tools such as MeshAgent and TeamViewer, subsequently deploying their sophisticated DLL sideloading mechanism to establish persistence and execute the encryption payload.

Advanced DLL Sideloading Implementation

LockBit’s implementation of DLL sideloading demonstrates remarkable technical sophistication, utilizing three primary legitimate application combinations to deliver their ransomware payload.

The most prominent example involves the Java platform components Jarsigner.exe and jli.dll, where attackers place a legitimate jarsigner.exe alongside a malicious jli.dll in the same directory.

When executed, jarsigner.exe naturally attempts to load jli.dll for its functionality, inadvertently loading the malicious version that serves as a loader for the LockBit payload.

Similarly, the group exploits Windows Defender components by using a renamed MpCmdRun.exe, masqueraded with company domain names, paired with a malicious mpclient.dll.

This particular technique is especially insidious as it leverages security software components to deliver malware, making detection significantly more challenging for security teams.

function gg($path) {
  $ke = GER(32); $ig =GER(16);
  $files=gci $path -Recurse -Include *.pdf, *.doc, *.docx, *.xls, *.xlsx
  foreach ($file in $files) { EFI $file $key $iv $eee }
}

The encryption process employs a hybrid RSA and AES encryption scheme embedded within obfuscated PowerShell scripts.

Files are encrypted using randomly generated AES keys, which are then encrypted with an embedded RSA public key, ensuring that decryption remains impossible without the corresponding private key held by the attackers.

The ransomware targets over thirty different file extensions and appends the distinctive .xlockxlock extension to encrypted files, making the impact immediately visible to victims while ensuring comprehensive data encryption across various file types commonly found in enterprise environments.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches