Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data
Oct. 17, 2024, 10:20 a.m.
Tags
External References
Description
This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to track and report malicious activity. The ransomware attempted to disguise itself as LockBit ransomware, likely to leverage its notoriety and pressurize victims, though no connection to LockBit's operators was found.
Date
Published: Oct. 17, 2024, 9:43 a.m.
Created: Oct. 17, 2024, 9:43 a.m.
Modified: Oct. 17, 2024, 10:20 a.m.
Indicators
f0ab7baa3e734451716ab374109453c1c159533023966d9db384f91da7c16f7f
f09f05fdd4dbe9a7b321f0aa4d56ae662e41a63385fd1a1e7f446d4af19a10d4
e4c59a0b4d209e898572e4fdd6153e6510e92fc16384b71a11f2b68210dd8174
e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
dbcfa51d8924096c9df053f9f8e8bfcb9f512d6067e8310e8a4743c55f016593
d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
cded5f02f06bc64e3aa909f021a35b00740832f5eaf9ffec8ca7be73e74c1152
cdb2a7767779e0d0efaecfdc1fce41bf51d3677194205d486e8c5a0c4815ee65
c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e
bc73cc463ea4f6c0e8d65e28c5a72c474e73176a2dabb18776cb471eb209457e
b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e
aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564
9fd4ffc73d7de7fa881fd4de477f74c49b73e2aa117e7f3fb800ef5bf6cf73b8
9e792606d9060f0988c9615aa785685f8474b50e00ce58c559821066b842b515
967375af79a5745a9bc97e0d6513d30b797fe834b0f700f48512e3c89cf35328
90c429ebe6c41470f921debcb1b8c3a536b213f7c56d4adccb19a01e471fba04
8e404487edabbc46d92f8c63b90ac9f661698a5a96691e255ff576e246bca86c
88237de0db05a0bc5b9de9eb77a4e43595de6b8652affc51b9d20ad22012c136
7dbb35453d362309618159b5a796e86a95299dd259be033671705663f378691d
7bfa19a76ae96c1eb630f56c2d4e38f9df62c04cae29755aebf08f71832b7b84
7a018c849aa2cadf29c498771b9dfcf478029b61a11b6241cda0ebafff6d8f30
744aaf3751291085848beb170cafacc45dfab7daa725037917307b54cc1337cd
573400d5f8a9d85d7205c1f6cf68f395bbb780aa81cd680dcec7b1904025f4d5
3c45b5be997e9250d44ea3d3cfa85a2e341f9b5017eac694ee1d569134fdd4da
39d144c97b53eb4ea0b6b76af9e2b5062730c8d134f38e017bd474e5e7af0ab1
390edcbca4679129932fdeabc71b3181e1ae545d655abc06460ee838d9a11ac9
371b772a5c3ac6407d77e6fc3fabb6dbb72ebddfb2ceae77147dfeee63168390
35299f1f6bb224e9260a10f72087ba2193316e73eea7b0361ea9ae9b946a5fac
2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
1a56110c5a9b11380fe8cf145ec051ac5728eb0776b0448ff8b5e6ba8d44a4e1
1827bc29f0d1d1a9de9978a7852fd05a415e83d120feda6856bfd987ed2e6622
17b7e5ac105cfafca07691b97689c97a9c4e2b0e11e22cb1c70d85d0cd37678c
1350b1dce81952d9cca595eab8c77ea29ba46f7aa4df28f066110b14895a630c
0ce98929d8a49d43476263be704aaff40b02968ca423bc4f0da89e738e9da9da
06fbf383637bd94226b8257dfbd88576a1a9dca1dac8b900a20d96f39cd1475f
023aff64a9ecdc012621966e1c1e5bd5957c0afcd8394bc9b2be4d77adc934db
14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430
Attack Patterns
T1565
T1490
T1608
T1185
T1583
T1136
T1491
T1489
T1486
T1055
T1098
T1499
T1204
T1132
T1053
T1090