At least one Ransomware threat actor has initiated to leverage the current founded PetitPotam NTLM relay attack method to take over the Windows domain on different networks across the world. Behind the attacks comes to be a new ransomware group named LockFile that was initially seen in July, which displays some similarities and relatings to other groups in the business.

Abusing PetitPotam for DC Entrance

LockFile attacks have been observed mostly in the U.S. and Asia, its victims including associations in the following sectors: financial services, manufacturing, engineering, legal, business services, travel, and tourism. Security researchers found a division of Broadcom, said that the actor’s first access on the network via Microsoft Exchange servers but the accurate method remains unknown at the moment.

Next, the threat actors take over the associations’ domain controller by leveraging the new PetitPotam method, which forces authentication to a remote NTLM relay under LockFile’s control. Founded by our security researcher in July, PetitPotam has a few aspects that Microsoft kept trying to block. At this point, the official mitigations and updates do not completely block the PetitPotam attack vector.

LockFile threat actor seems to rely on publicly available code to abuse the original PetitPotam (tracked as CVE-2021-36942) element. After the attackers successfully take over the domain controller, they efficiently have control over the entire Windows domain and can run any command they wish.

What are the Gaps in the Attack Chain and LockBit Images?

It has been noted in a blog post from recent days that the ransom note from LockFile ransomware is very same as the one used by the LockBit ransomware group. Moreover, it seems like the new group also creates a not-so-subtle reference to the Conti group in the contact email address they leave for the victim- [email protected]. If we were to hypothesize about the choice for the email’s domain, we could state that LockFile seems like the project of the annoyed Conti affiliate that leaked the group’s attack playbook.

Symantec analyzed LockFile’s attack chain and note that the hackers typically spend at least several days on the network before detonating the file-encrypting malware, typical for this kind of attack. The investigators say that when negotiating the victim’s Exchange server, the threat actor executes a PowerShell command that directly downloads a file from a remote location.

In the last stage of the attack, 20 to 30 minutes before setting up the ransomware, the threat actor rewards to take over the domain controller by installing on the negotiated Exchange server the PetitPotam exploit and two files:

• active_desktop_render.dll
• active_desktop_launcher.exe (legitimate KuGou Active Desktop launcher)

The legitimate KuGou Active Desktop launcher is exploited to execute a DLL hijacking attack to load the malicious DLL to avoid the analysis by security software. The investigators state that when loaded by the launcher, the DLL tries to load and decode a file called “desktop.ini” that includes shellcode. Our researchers have not retrieved the file for analysis but say that a successful operation ends with running the shellcode. “The encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam.”

The last and final step is to copy the LockFile ransomware payload on the local domain controller and inject it across the network with the help of a script and executables that run on client hosts immediately after authentication to the server. Researchers believe that LockFile is a new ransomware actor and that it could have a connection to other players in the business, either known in the community or retired. LockFile is still active and has been seen as recently as today inside a victim network.