LockBit RaaS emerged as the topmost threat in Q2 2022 because of its unique features and capability to conduct sophisticated malicious campaigns. In a new development, the most recent version of the malware, LockBit 3.0, is being spread via Amadey Bot, found the ASEC analysis team.

Diving into details

  • Amadey Bot is being propagated via two methods: using a malicious Word doc and using an executable that disguises itself as Word icon.
  • The bot receives three commands from the C2 server that triggers downloading and execution of malware from the external source.
  • While two LockBits are downloaded in PowerShell format, the third is downloaded in exe format. 
  • Threat actors are using keywords such as copyright and job application to distribute LockBit 3.0. 

Amadey Bot distribution

  • In October, the ASEC analysis team identified Amadey Bot masquerading as a popular Korean messenger program, KakaoTalk.
  • The malware pretended to be the KakaoTalk installation file and was disseminated via emails. 
  • In July, a new version of Amadey was found spreading via a SmokeLoader campaign. Previously, it used to be distributed via Fallout and Rig exploit kits. 

The wrath of LockBit

  • LockBit 3.0 added Thales to its list of victims on October 31 and threatened to leak the data if the ransom isn’t paid. 
  • Previous to Thales, the RaaS group had stolen 1.4TB worth of data from Kingfisher Insurance
  • LockBit became the topmost threat by amassing 103 victims out of 230 in September alone. 
  • Furthermore, in its entire existence, the group has attacked 1,157 victims across the world. 

The bottom line

Researchers advise caution as LockBit pops up with new capabilities and distribution methods. Update your software, avoid clicking on suspicious links, and refrain from opening documents shared by unknown sources. LockBit RaaS has become a prolific threat and hence, implementing proactive defenses will give organizations the right edge against such threats.
Cyware Publisher