Ongoing Trend of Ransomware Campaigns Using Copyright Claim as Theme

Several recent ransomware phishing campaigns share tactics and themes using compressed files disguised as copyright infringement claims.
Ongoing Trend of Ransomware Campaigns Using Copyright Claim as Theme

Context

On June 24, 2022, AhnLab Security Emergency response Center (ASEC) researchers reported the technical details of an ongoing phishing campaign that uses malicious files disguised as copyright claim documents to deliver the LockBit ransomware. The use of copyright claims as a theme is an ongoing trend in ransomware phishing campaigns observed in the wild.

Technical Details

Copyright claim is a common theme for ransomware phishing campaigns for at least the last two years. This intelligence report will highlight three campaigns in the trend for technical similarities and differences. The campaign reported by ASEC researchers last week possesses similar characteristics to another campaign from February 2022 that also delivered LockBit ransomware. A Makop campaign also used the theme in May 2021. Common trends include the use of compressed files with executables disguised as JPEG or PDF files.

The June 2022 LockBit Campaign

In this campaign, threat actors sent phishing emails in Chinese with a malicious file disguised as a copyright claim. The emails came from an email account impersonating a legitimate illustrator to make the email seem more legitimate. The name of the malicious file attachment included the password to open the file, which matches the tactics used in the February 2022 LockBit campaign. The malicious attachment is a compressed file containing a second compressed Nullsoft Scriptable Install System (NSIS) file, which includes an executable disguised with a PDF file icon. This executable installs the ransomware on the targeted machine and runs multiple operations for reconnaissance, obfuscation, and persistence.

The February 2022 LockBit Campaign

This campaign also leveraged phishing emails with malicious copyright-themed attachments containing compressed files with passwords. As in the June 2022 campaign, the compressed files are NSIS file types. The executable for this campaign is disguised as a JPEG file, as with the May 2021 Makop campaign. The executable then runs reconnaissance, obfuscation, and persistence operations, nearly identical to the June 2022 campaign.

The May 2021 Makop Campaign

In May 2021, ASEC researchers discovered a phishing campaign delivering the Makop ransomware. Unlike previous Makop phishing efforts that used job applications and resumes as themes, the May 2021 campaign began using claims of copyright infringement as a theme. Phishing emails in this campaign included a malicious compressed file as an attachment. As in the February 2022 campaign delivering LockBit, the May 2022 Makop campaign used an executable disguised as a JPEG file, where upon execution, the Makop ransomware deleted volume shadow copy, encrypted files on the infected computer, and created a ransom note TXT file.

IOCs

ASEC analysts provided the following indicators of compromise (IOCs) for the phishing campaigns:

Indicator  Type Notes
3a05e519067bea559491f6347dd6d296 Hash EML File (June 2022 LockBit Campaign)
74a53d9db6b2358d3e5fe3accf0cb738 Hash EXE File (June 2022 LockBit Campaign)
3ffea798602155f8394e5fb3c7f4a495 Hash EML File (February 2022 LockBit Campaign)
4b77923447b9a1867080e3abe857e5bd Hash EXE File (February 2022LockBit Campaign)
237d76f961f8f550c4c4bbfab30153a6 Hash Malicious File (May 2021 Makop Campaign)

More Recent Blog Posts