Could belong in the Reversing Section instead, but I thought the Malware section was a good place to post.
Please move this thread if it belongs elsewhere.
LockBit's XLL document Analysis
As some of you already know, now that office macros from the internet are now disabled and blocked by default many APT groups have shifted to XLL spreading as well, as .LNK files are obvious and it's all too common to see a password protected .RAR/ZIP => .ISO => .LNK => .JS/.BAT/.PS1/.HTA/.CHM => .DLL and sometimes even lengthier solutions such as .URL, .WSH, .CHM, etc filetypes. Even going as far as .RTF files that drop add-in files to the Office Startup folder. As we know, the more obscure and noisy it is, the more luck you have, so it's interesting to see LockBit always staying ahead with reeearch coming out of the infosec community.
While lolbins will always be a great solution and more and more are found everyday, I thought it was interesting to see LockBit choose on the XLL method of spreading as most other large ransomware groups use the longer routes mentioned earlier (and I think they are brilliant for choosing XLL over the latter).
In general, having looked debugged a bit of lockbits v2 myself, the code is brilliant and truly a work of art onto itself as ransomware doesn't have many instructions in the long run when you break down it's down.
But I thought sharing this video and some thoughts would be worth a small read for those interested in following how major titans take on the most crucial first step to drop malware onto a host without setting off all the alarms.
Please move this thread if it belongs elsewhere.
LockBit's XLL document Analysis
As some of you already know, now that office macros from the internet are now disabled and blocked by default many APT groups have shifted to XLL spreading as well, as .LNK files are obvious and it's all too common to see a password protected .RAR/ZIP => .ISO => .LNK => .JS/.BAT/.PS1/.HTA/.CHM => .DLL and sometimes even lengthier solutions such as .URL, .WSH, .CHM, etc filetypes. Even going as far as .RTF files that drop add-in files to the Office Startup folder. As we know, the more obscure and noisy it is, the more luck you have, so it's interesting to see LockBit always staying ahead with reeearch coming out of the infosec community.
While lolbins will always be a great solution and more and more are found everyday, I thought it was interesting to see LockBit choose on the XLL method of spreading as most other large ransomware groups use the longer routes mentioned earlier (and I think they are brilliant for choosing XLL over the latter).
In general, having looked debugged a bit of lockbits v2 myself, the code is brilliant and truly a work of art onto itself as ransomware doesn't have many instructions in the long run when you break down it's down.
But I thought sharing this video and some thoughts would be worth a small read for those interested in following how major titans take on the most crucial first step to drop malware onto a host without setting off all the alarms.
Последнее редактирование:
