Full Report
Stealthy TTPs help ransomware attackers remain under the radar.
Analysis Summary
# Tool/Technique: DLL Sideloading and Masquerading (Leveraged by LockBit)
## Overview
This summary focuses on the sophisticated techniques—specifically DLL sideloading and masquerading—used by the LockBit ransomware group to conceal execution, evade detection, and establish persistence on compromised systems by leveraging the trust associated with legitimate applications and system binaries.
## Technical Details
- Type: Technique (DLL Sideloading, Masquerading)
- Platform: Windows
- Capabilities: Stealthy execution of malicious payloads, evasion of detection, establishment of persistence.
- First Seen: Not specified in the context, but used in recent LockBit attacks.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1574 - Hijack Execution Flow**
- **T1574.001 - DLL Side-Loading**
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading**
- **T1036.005 - Match Legitimate Name or Location** (Implied by renaming executables/using system directories)
## Functionality
### Core Capabilities
**DLL Sideloading:**
* A legitimate, digitally signed application (the loader) is induced to load a malicious Dynamic Link Library (DLL) with an identical name instead of the intended legitimate one.
* Achieved by placing the malicious DLL in a directory searched earlier in the load order than the legitimate DLL's location.
* Used to execute the initial ransomware payload or subsequent malicious activities.
**Masquerading:**
* Renaming malicious files to resemble common system filenames (e.g., `svchost.exe`, `explorer.exe`, `cmd.exe`).
* Spoofing process names or manipulating process information to appear as legitimate services.
* Using icons identical to verified Windows applications to appear less suspicious.
* Deploying malicious files in trusted directories like `C:\Windows\System32` or `C:\ProgramData`.
### Advanced Features
* **Chained Exploitation/Loading:** Specific examples illustrate complex loading chains:
* `jarsigner.exe` loading a malicious `jli.dll`.
* A renamed `MpCmdRun.exe` loading a malicious `mpclient.dll` (associated with Windows Defender components).
* A renamed `Clink_x86.exe` loading a malicious `clink_dll_x86.dll`.
* **Initial Access via RDP Tools:** The attack chain suggests that initial access is gained via compromised remote desktop tools (MeshAgent, TeamViewer), after which files are uploaded and executed using these stealth techniques.
## Indicators of Compromise
- File Hashes:
- `f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97` (Nssm.exe)
- `5ca8e1d001a2c3800afce017424ca471f3cba41f9089791074a9cb7591956430` (Tokenutils.exe)
- `0201a6dbe62d35b81d7cd7d7a731612458644b5e3b1abe414b0ea86d3266ab03` (sd1.exe)
- `1cd644b750884906b707419c8f40598c04f1402e4e93cbf4a33f3254846dc870` (.exe - Masqueraded MpCmdRun.exe)
- `edcf76600cd11ef7d6a5c319087041abc604e571239fe2dae4bca83688821a3a` (mpclient.dll)
- `011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb` (access.exe - Masqueraded clink_x86.exe)
- `4147589aa11732438751c2ecf3079fb94fa478a01ac4f08d024fb55f7ffb52f3` (clink_dll_x86.dll)
- `10f1a789e515fdaf9c04e56b8a5330cfb1995825949e6db8c9eaba4ea9914c97` (jarsigner.exe)
- `086567b46fca2a27d404d9b61bdb482394e1591dc13f1302b813bb2ddf5e54cf` (jli.dll)
- `6285d32a9491a0084da85a384a11e15e203badf67b1deed54155f02b7338b108` (nxc.exe)
- `785e5aaecd9430451f4b0bad637658e6afeea1e722b3d0dd674cb6a11f4ce286` (encth.exe, dwa.exe)
- `24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf` (o.exe, edge.exe.exe)
- File Names: `mpclient.dll`, `jli.dll`, files renamed to mimic `svchost.exe`, `explorer.exe`, `cmd.exe`.
- Network Indicators: `msupdate[.]updatemicfosoft[.]com`
## Associated Threat Actors
- LockBit Ransomware Operators
## Detection Methods
- **Signature-based detection:** Detection of known ransomware virus signatures (e.g., `Malware: Heur.AdvML.B!100`) on specific DLL paths.
- **Behavioral detection:**
- Monitoring for remote access tool activity (TeamViewer, MeshAgent).
- Detection via specific behavioral alarms (PSEXEC running net/Quser commands, untrusted processes accessing LSASS).
- Carbon Black reports detecting discovery scans (`Discovery - NLTest Domain Trust Enumeration`).
- **Network-based protection:** Blocking or auditing traffic to known malicious categories/risk levels (e.g., `Malicious Sources/Malnets(43)`).
## Mitigation Strategies
- Strong monitoring/auditing of remote desktop tool execution (TeamViewer, MeshAgent).
- Implementing strict enforcement of DLL loading policies where possible, though difficult due to OS dependencies.
- Monitoring for suspicious file placement in system or application directories (`C:\Windows\System32`, `C:\ProgramData`).
- Monitoring for applications unexpectedly loading dynamically linked libraries from insecure or non-standard locations.
- Hardening against the specific known loader chains (e.g., monitoring execution paths related to `jarsigner.exe` or `MpCmdRun.exe`).
## Related Tools/Techniques
- MeshAgent (used for Initial Access)
- TeamViewer (used for Initial Access)
- PSEXEC (used for lateral movement based on alarms)