LockBit operates as a RaaS and helps its partners by providing StealBit data exfiltration service. Yoroi Malware ZLAB examined Stealbit 2.0, the group’s recently developed custom tool specialized in data exfiltration.

The analysis of the exfiltration tool

Researchers revealed that the malware authors have taken serious steps to protect the code of StealBit 2.0 stealer and overall operations.
  • Upon examining the malware, they observed the lack of metadata in the PE fields. However, researchers could find fields such as the compiler timestamp, bitness, the entry point, and a DOS header. Most of the other fields were still missing.
  • Moreover, the Imphash section, which is the import table of the malware sample was found empty (without any APIs listed). Without loading the required libraries in the table, it was impossible to carry out the malicious operation.
  • Digging deep, experts noted that hackers have implemented a low-level anti-analysis technique that looks for certain values in Process Environment Block, which is a data structure in the Windows NT systems.
  • The attackers have also used the stack string obfuscation extensively to hide the native DLL names to be loaded in the missing library table.

The infrastructure used for exfiltration 

Furthermore, Yoroi researchers analyzed the static configurations of the malware sample and were able to extract some remote IP addresses which provided additional insights.
  • The IP addresses used to host StealBit 2.0 have been used in the past operation for other malicious purposes. These attacks, which include phishing attacks on banks or distribution of mobile malware, were not related to the LockBit group.
  • In one of the instances, the same IP address was used to carry out phishing attacks in Italy and ransomware data exfiltration at exact time periods.

A background into the campaign

In the last month, TrendMicro released a report detailing the recent campaign by LockBit 2.0.
  • From July 1 to August 15, attacks associated with LockBit 2.0 were observed in the U.K, Taiwan, Chile, and Italy.
  • Moreover, LockBit 2.0 abuses genuine tools (e.g. Process Hacker and PC Hunter) to stop processes/services of the victim's system.


The evolution of StealBit into StealBit 2.0 highlights the fact that cybercriminals are investing lots of time and efforts in improving their data exfiltration capabilities. Because of such tools, protecting sensitive information is now more challenging than ever. Therefore, organizations are recommended to focus more on protecting their data.

Cyware Publisher