Home Internet Security LockFile ransomware uses PetitPotam attack to hijack Windows domains

LockFile ransomware uses PetitPotam attack to hijack Windows domains


New LockFile ransomware leverages PetitPotam NTLM relay attack to take over domain controllers

Not less than one ransomware risk actor has began to leverage the lately found PetitPotam NTLM relay attack technique to take over the Home windows area on varied networks worldwide.

Behind the assaults seems to be a brand new ransomware gang referred to as LockFile that was first seen in July, which exhibits some resemblance and references to different teams within the enterprise.

Exploiting PetitPotam for DC entry

LockFile assaults have been recorded largely within the U.S. and Asia, its victims together with organizations within the following sectors: monetary providers, manufacturing, engineering, authorized, enterprise providers, journey, and tourism.

Safety researchers at Symantec, a division of Broadcom, mentioned that the actor’s preliminary entry on the community is thru Microsoft Change servers however the actual technique stays unknown in the meanwhile.

Subsequent, the attacker takes over the group’s area controller by leveraging the brand new PetitPotam technique, which forces authentication to a distant NTLM relay underneath LockFile’s management.

Found by safety researcher Gilles Lionel in July, PetitPotam has a couple of variations that Microsoft saved attempting to dam. At this level, the official mitigations and updates don’t utterly block the PetitPotam assault vector.

LockFile risk actor appears to depend on publicly obtainable code to exploit the original PetitPotam (tracked as CVE-2021-36942) variant.

As soon as the attackers efficiently take over the area controller, they successfully have management over all the Home windows area and may run any command they need.

LockBit likeness

Symantec notes in a weblog put up right now that the ransom notice from LockFile ransomware is similar to the one utilized by the LockBit ransomware group.

Ransom note from LockFile ransomware
supply: BleepingComputer

Moreover, it seems like the brand new gang additionally makes a not-so-subtle reference to the Conti gang within the contact e-mail deal with they depart for the sufferer: contact@contipauper[.]com.

If we have been to take a position concerning the selection for the e-mail’s area, lets say that LockFile seems just like the venture of the disgruntled Conti affiliate that leaked the gang’s assault playbook.

Gaps within the assault chain

Symantec analyzed LockFile’s assault chain and notice that the hackers sometimes spend at the very least a number of days on the community earlier than detonating the file-encrypting malware, typical for this sort of assaults.

The researchers say that when compromising the sufferer’s Change server, the attacker runs a PowerShell command that downloads a file from a distant location.

Within the final stage of the assault, 20 to half-hour earlier than deploying the ransomware, the risk actor proceeds to take over the area controller by putting in on the compromised Change server the PetitPotam exploit and two information:

  • active_desktop_render.dll
  • active_desktop_launcher.exe (professional KuGou Lively Desktop launcher)

The professional KuGou Lively Desktop launcher is abused to carry out a DLL hijacking assault to load the malicious DLL to evade detection by safety software program.

The researchers say that when loaded by the launcher, the DLL tries to load and decrypt a file referred to as “desktop.ini” that comprises shellcode. Symantec has not retrieved the file for evaluation however says {that a} profitable operation ends with working the shellcode.

“The encrypted shellcode, nonetheless, very possible prompts the efspotato.exe file that exploits PetitPotam” – Symantec

The ultimate step is to repeat the LockFile ransomware payload on the native area controller and push it throughout the community with the assistance of a script and executables that run on shopper hosts instantly after authentication to the server.

Symantec believes that LockFile is a brand new ransomware actor and that it may have a connection to different gamers within the enterprise, both recognized in the neighborhood or retired.

LockFile continues to be energetic and has been seen as lately as right now inside a sufferer community.

Source link