Cyber Security

Analyzing LockBit’s Information Exfiltration Mannequin | Cyware Alerts

LockBit operates as a RaaS and helps its companions by offering StealBit knowledge exfiltration service. Yoroi Malware ZLAB examined Stealbit 2.0, the group’s just lately developed customized software specialised in knowledge exfiltration.

The evaluation of the exfiltration software

Researchers revealed that the malware authors have taken severe steps to guard the code of StealBit 2.0 stealer and total operations.

  • Upon analyzing the malware, they noticed the dearth of metadata within the PE fields. Nonetheless, researchers may discover fields such because the compiler timestamp, bitness, the entry level, and a DOS header. Many of the different fields had been nonetheless lacking.
  • Furthermore, the Imphash part, which is the import desk of the malware pattern was discovered empty (with none APIs listed). With out loading the required libraries within the desk, it was unimaginable to hold out the malicious operation.
  • Digging deep, consultants famous that hackers have applied a low-level anti-analysis technique that appears for sure values in Course of Atmosphere Block, which is a knowledge construction within the Home windows NT techniques.
  • The attackers have additionally used the stack string obfuscation extensively to cover the native DLL names to be loaded within the lacking library desk.

The infrastructure used for exfiltration 

Moreover, Yoroi researchers analyzed the static configurations of the malware pattern and had been in a position to extract some distant IP addresses which offered extra insights.

  • The IP addresses used to host StealBit 2.0 have been used prior to now operation for different malicious functions. These assaults, which embody phishing assaults on banks or distribution of cell malware, weren’t associated to the LockBit group.
  • In one of many situations, the identical IP deal with was used to hold out phishing assaults in Italy and ransomware knowledge exfiltration at actual time durations.

A background into the marketing campaign

Within the final month, TrendMicro launched a report detailing the latest marketing campaign by LockBit 2.0.
  • From July 1 to August 15, assaults related to LockBit 2.0 had been noticed within the U.Okay, Taiwan, Chile, and Italy.
  • Furthermore, LockBit 2.0 abuses real instruments (e.g. Course of Hacker and PC Hunter) to cease processes/companies of the sufferer’s system.


The evolution of StealBit into StealBit 2.0 highlights the truth that cybercriminals are investing a lot of time and efforts in enhancing their knowledge exfiltration capabilities. Due to such instruments, defending delicate info is now more difficult than ever. Subsequently, organizations are really helpful to focus extra on defending their knowledge.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *