LockBit Operators Use Stealthy DLL Sideloading to Mask Malicious App as Legitimate One

Operators of LockBit ransomware have improved their tactics, methods, and procedures (TTPs) to avoid detection and increase damage in the always changing world of cyberthreats.

By exploiting DLL sideloading and masquerading, these attackers disguise malicious activities within legitimate system processes, enabling persistence and seamless integration into compromised environments.

DLL sideloading tricks trusted applications into loading malicious libraries, while masquerading renames files and processes to mimic benign ones, making them indistinguishable from routine operations.

This approach not only leverages inherent system trusts but also complicates identification by security tools, as seen in recent campaigns where LockBit payloads were bundled with digitally signed executables.

Evolving Tactics in Ransomware Deployment

Operators initiate attacks by gaining initial access through remote desktop tools like MeshAgent or TeamViewer, uploading and executing files directly on target machines.

Privilege escalation follows, utilizing utilities such as NSSM to run remote access Trojans (RATs) as services often renamed to innocuous filenames like edge.exe.exe or o.exe and PsExec to spawn command prompts under SYSTEM privileges with commands like PsExec64.exe -s -i cmd.

Discovery phases involve tools like net.exe, nltest.exe, and query.exe to enumerate domain users, groups, trusts, and permissions, gathering intelligence for further infiltration.

Credential theft employs TokenUtils.exe to impersonate high-privilege tokens, such as NT AUTHORITYSYSTEM, for executing commands, alongside Sd1.exe for extracting Kerberos tickets from domain controllers.

Lateral movement leverages Group Policy to distribute payloads across networks, including ransomware DLLs, masqueraded executables, and obfuscated PowerShell scripts that generate random keys, encrypt specific file types (e.g., PDFs, documents, images, and code files), and append extensions like .xlockxlock.

Impact is achieved through DLL sideloading examples: the legitimate jarsigner.exe loading a malicious jli.dll to deploy payloads; the renamed MpCmdRun.exe (as .exe) sideloaded with mpclient.dll containing LockBit code; and the disguised Clink_x86.exe paired with clink_dll_x86.dll for encryption.

Direct execution of ransomware binaries like encth.exe or dwa.exe further encrypts data, blending with system directories for camouflage.

Defensive Measures Amid LockBit’s Evolution

LockBit, operated by the Syrphid group, has extorted up to $500 million since 2019, but 2024 disruptions, including the indictment of alleged leader Dimitry Khoroshev and the leak of the LockBit 3.0 builder, have democratized its use among unaffiliated actors.

According to the report, these TTPs, observed in targeted campaigns, underscore the need for robust defenses.

Symantec EDR detects anomalies via AI summaries, while Carbon Black alerts on behaviors like Ransom.LockBit, Heur.AdvML.B, and SONAR.Ransomware! g3.

Network protections flag TeamViewer and MeshAgent activities, with C&C domains categorized as high-risk malnets. Behavioral indicators include untrusted processes accessing LSASS or PSEXEC launching suspicious commands.

Organizations should prioritize endpoint detection, anomaly monitoring, and patch management to counter these stealthy methods, as similar techniques could deploy other malware beyond LockBit.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!