NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed – ASEC BLOG

In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as a copyright-related email, recently it is being distributed as a phishing email disguised as an email on the subject of job applications.

Figure 1. Distributed email 1
Figure 2. Distributed email 2

As shown in the figure above, there are cases where the password for the compressed file is written on the attached compressed file name, but there have been cases found where the password is written in the text of the email. In the latter, only the recipient of said email can decompress and run this file. This can be an attempt to prevent detection of the contents with only the compressed file, bypassing anti-malware scans, or an attempt to distribute targeting specific email recipients.

The compressed file contains another compressed .alz file and uncompressing this file will reveal the LockBit 3.0 ransomware file disguised with an HWP file icon, inside.

Figure 3. Inside the compressed file directory

It has been found that this ransomware is being distributed under various file names, with the common theme that it is being disguised as a job application (resume).

● JobApplication_220919(Please check my experiences I’ve also included).exe
● _Application_220919(Please check my experiences I’ve also included).exe
● Resume I will work hard please see me as favorable thank you.exe
● JobApplication_220907_I will work hard.exe
● Resume.exe

These LockBit 3.0 files are in NSIS (Nullsoft Scriptable Install System) format and are a script-based installed file format. Upon uncompressing the file, there exists ‘an unknown file format with a particular number’, a ‘normal System.dll module’, and ‘[NSIS].nsi’.

● Unknown file format with a particular number: Contains a shell code and the encrypted LockBit 3.0 PE
● Normal System.dll module: A normal module used to run nsis
● [NSIS].nsi: The script file used to execute NSIS. NSIS runs based on this script file

Analysis of the file distributed under the name “Resume I will work hard please see me as favorable thank you.exe” as an example reveals the following.

As mentioned in Figure 4, this NSIS file contains the ‘Certain number 1213645181 file’, a ‘$PLUGINSDIR folder with System.dll’ and the ‘[NSIS].nsi file’. The NSIS executable installation file is run based on the ‘[NSIS].nsi’ script, and according to this code, it generates the ‘1213645181 file’ before injecting the decrypted LockBit 3.0 PE onto itself to run.

Like the contents of the nsi script code, first, the file generates a shell code and the ‘1213645181 file’ which contains the encrypted LockBit 3.0, inside the %temp% directory.

Figure 4. Encoded data (1213645181 file) created in the TEMP directory

Then, it executes a shell code in a specific OFFSET position of the ‘1213645181 file’ to decrypt the internal LockBit 3.0 executable and inject it onto itself to be run.

Figure 5. Shell code location identification

When the computer is infected with LockBit 3.0, it alters registry values to deactivate the following services.

● sppsvc: Software protection service
● WinDefend: Windows Defender service
● wscsvc: Windows Security Center service
● VSS: Volume shadow copy service

Then, it encrypts the files in the user system, and the encrypted files have their icons changed and their file names changed to “Original File Name.[random character array]”. It also creates a ransom note and changes the wallpaper.

Figure 6. Example of the encrypted file
Figure 7. Changed wallpaper after files have been encrypted

Because LockBit 3.0 ransomware is distributed disguised as emails with resumes, there is a high probability it is targeting corporations. Each company must update its anti-malware software to the latest version and strongly advise its employees against potentially opening spam mail. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

  • Ransomware/Win.LockBit.C5226681
  • Ransomware/Win.LockBit.R521104

[Behavior Detection]

  • Ransom/MDP.Event.M4353

[IOC Info]

  • 2c0eeb266061631845a9e21156801afd
  • ad1b5253f07584c0d0c2d3caaf38af34

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/39259/