Analyzing LockBit’s Data Exfiltration Model

The analysis of the exfiltration tool

• Upon examining the malware, they observed the lack of metadata in the PE fields. However, researchers could find fields such as the compiler timestamp, bitness, the entry point, and a DOS header. Most of the other fields were still missing.
• Moreover, the Imphash section, which is the import table of the malware sample was found empty (without any APIs listed). Without loading the required libraries in the table, it was impossible to carry out the malicious operation.
• Digging deep, experts noted that hackers have implemented a low-level anti-analysis technique that looks for certain values in Process Environment Block, which is a data structure in the Windows NT systems.
• The attackers have also used the stack string obfuscation extensively to hide the native DLL names to be loaded in the missing library table.

The infrastructure used for exfiltration 

• The IP addresses used to host StealBit 2.0 have been used in the past operation for other malicious purposes. These attacks, which include phishing attacks on banks or distribution of mobile malware, were not related to the LockBit group.
• In one of the instances, the same IP address was used to carry out phishing attacks in Italy and ransomware data exfiltration at exact time periods.

A background into the campaign

• From July 1 to August 15, attacks associated with LockBit 2.0 were observed in the U.K, Taiwan, Chile, and Italy.
• Moreover, LockBit 2.0 abuses genuine tools (e.g. Process Hacker and PC Hunter) to stop processes/services of the victim's system.

Conclusion