Context
On June 24, 2022, AhnLab Security Emergency response Center (ASEC) researchers reported the technical details of an ongoing phishing campaign that uses malicious files disguised as copyright claim documents to deliver the LockBit ransomware. The use of copyright claims as a theme is an ongoing trend in ransomware phishing campaigns observed in the wild.
Technical Details
Copyright claim is a common theme for ransomware phishing campaigns for at least the last two years. This intelligence report will highlight three campaigns in the trend for technical similarities and differences. The campaign reported by ASEC researchers last week possesses similar characteristics to another campaign from February 2022 that also delivered LockBit ransomware. A Makop campaign also used the theme in May 2021. Common trends include the use of compressed files with executables disguised as JPEG or PDF files.
The June 2022 LockBit Campaign
In this campaign, threat actors sent phishing emails in Chinese with a malicious file disguised as a copyright claim. The emails came from an email account impersonating a legitimate illustrator to make the email seem more legitimate. The name of the malicious file attachment included the password to open the file, which matches the tactics used in the February 2022 LockBit campaign. The malicious attachment is a compressed file containing a second compressed Nullsoft Scriptable Install System (NSIS) file, which includes an executable disguised with a PDF file icon. This executable installs the ransomware on the targeted machine and runs multiple operations for reconnaissance, obfuscation, and persistence.
The February 2022 LockBit Campaign
This campaign also leveraged phishing emails with malicious copyright-themed attachments containing compressed files with passwords. As in the June 2022 campaign, the compressed files are NSIS file types. The executable for this campaign is disguised as a JPEG file, as with the May 2021 Makop campaign. The executable then runs reconnaissance, obfuscation, and persistence operations, nearly identical to the June 2022 campaign.
In May 2021, ASEC researchers discovered a phishing campaign delivering the Makop ransomware. Unlike previous Makop phishing efforts that used job applications and resumes as themes, the May 2021 campaign began using claims of copyright infringement as a theme. Phishing emails in this campaign included a malicious compressed file as an attachment. As in the February 2022 campaign delivering LockBit, the May 2022 Makop campaign used an executable disguised as a JPEG file, where upon execution, the Makop ransomware deleted volume shadow copy, encrypted files on the infected computer, and created a ransom note TXT file.
IOCs
ASEC analysts provided the following indicators of compromise (IOCs) for the phishing campaigns:
| Indicator | Type | Notes |
| 3a05e519067bea559491f6347dd6d296 | Hash | EML File (June 2022 LockBit Campaign) |
| 74a53d9db6b2358d3e5fe3accf0cb738 | Hash | EXE File (June 2022 LockBit Campaign) |
| 3ffea798602155f8394e5fb3c7f4a495 | Hash | EML File (February 2022 LockBit Campaign) |
| 4b77923447b9a1867080e3abe857e5bd | Hash | EXE File (February 2022LockBit Campaign) |
| 237d76f961f8f550c4c4bbfab30153a6 | Hash | Malicious File (May 2021 Makop Campaign) |
