A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.
According to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job application offers or copyright infringement notices.
The LockBit 3.0 payload used in this attack is downloaded as an obfuscated PowerShell script or executable form, running on the host to encrypt files.
Amadey Bot activity
The Amadey Bot malware is an old strain capable of performing system reconnaissance, data exfiltration, and payload loading.

Korean researchers at AhnLab have noticed increased Amadey Bot activity in 2022 and reported finding a new version of the malware in July, dropped via SmokeLoader.

The latest version added antivirus detection and auto-avoidance capabilities, making intrusions and dropping payloads stealthier.

In the July campaign, Amadey dropped various information-stealing malware, such as RedLine, but the more recent campaign loads a LockBit 3.0 payload instead.

Infection chains
AhnLab researchers noticed two distinct distribution chains, one relying on a VBA macro inside a Word document and one disguising the malicious executable as a Word file.

In the first case, the user has to click on the "Enable Content" button to execute the macro, which creates an LNK file and stores it to "C:\Users\Public\skem.lnk". This file is a downloader for Amadey.

https://www.bleepingcomputer.com/news/security/lockbit-affiliate-uses-amadey-bot-malware-to-deploy-ransomware/

thx for the info

Can malware bytes detect this yet ?

(November 10, 2022, 07:17 AM)fyreHD Wrote: Can malware bytes detect this yet ?

Probably not

Can malware bytes detect this yet?

There are more and more ransomware now

(November 17, 2022, 12:38 PM)lababademaokeng Wrote: There are more and more ransomware now

It's not surprising. Ransomware is very  profitable business

(November 9, 2022, 01:25 PM)Freudian Wrote: A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.
According to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job application offers or copyright infringement notices.
The LockBit 3.0 payload used in this attack is downloaded as an obfuscated PowerShell script or executable form, running on the host to encrypt files.
Amadey Bot activity
The Amadey Bot malware is an old strain capable of performing system reconnaissance, data exfiltration, and payload loading.

Korean researchers at AhnLab have noticed increased Amadey Bot activity in 2022 and reported finding a new version of the malware in July, dropped via SmokeLoader.

The latest version added antivirus detection and auto-avoidance capabilities, making intrusions and dropping payloads stealthier.

In the July campaign, Amadey dropped various information-stealing malware, such as RedLine, but the more recent campaign loads a LockBit 3.0 payload instead.

Infection chains
AhnLab researchers noticed two distinct distribution chains, one relying on a VBA macro inside a Word document and one disguising the malicious executable as a Word file.

In the first case, the user has to click on the "Enable Content" button to execute the macro, which creates an LNK file and stores it to "C:\Users\Public\skem.lnk". This file is a downloader for Amadey.

https://www.bleepingcomputer.com/news/security/lockbit-affiliate-uses-amadey-bot-malware-to-deploy-ransomware/

linux go brrt.

No one fucking cares holy shit who gives a fuck about lockbit

wooooooooooooooooooooow