A new ransomware operation called LockFile that was first observed in July this year uses the PetitPotam vulnerability to gain access to an organizations’ Windows domain controller and then spread across the network, Symantec researchers revealed.
The attacks first observed in July 2021 targeted organizations in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors across the US and Asia, Symantec said.
An investigation into the attacks revealed that threat actors breached networks via Microsoft Exchange Servers, however, the researchers were not able to determine the exact method of compromise. The attackers then used the PetitPotam vulnerability (CVE-2021-36942) to gain access to the domain controller, and then spread across the network.
CVE-2021-36942 is a NTLM relay attack vulnerability that can be used by a low-privileged attacker to take over a domain controller.
According to Symantec, the attackers maintain access on victim networks for at least several days before beginning the ransomware attack. Around 20 to 30 minutes prior to deploying ransomware, the attackers install a set of tools onto the compromised Exchange Server, including a file called “efspotato.exe” containing the PetitPotam exploit, and active_desktop_launcher.exe, which is a legitimate version of KuGou Active Desktop.
“The executable is being used in a DLL search order loading attack to load a malicious active_desktop_render.dll file. This active_desktop_render.dll file, when loaded by the active_desktop_launcher.exe, attempts to load and decrypt a file in the local directory called “desktop.ini”. If the file is successfully loaded and decrypted, shellcode from the file is executed,” the researchers said.
After gaining access to the victim’s domain controller, the threat actors copy over the LockFile ransomware, along with a batch file and supporting executables, onto the domain controller.
The researchers noted that the operators behind LockFile use a ransomware note similar to the one used by the LockBit ransomware gang. In addition, the LockFile ransomware note contains a reference to the Conti ransomware operation in the contact email address they leave for the victim.