Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:
LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).
File Sharing Site |
---|
https://www.premiumize[.]com |
https://anonfiles[.]com |
https://www.sendspace[.]com |
https://fex[.]net |
https://transfer[.]sh |
https://send.exploit[.]in |
LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:
Tool | Description | MITRE ATT&CK ID |
---|---|---|
Chocolatey | Command-line package manager for Windows. | T1072 |
FileZilla | Cross-platform File Transfer Protocol (FTP) application. | T1071.002 |
Impacket | Collection of Python classes for working with network protocols. | S0357 |
MEGA Ltd MegaSync | Cloud-based synchronization tool. | T1567.002 |
Microsoft Sysinternals ProcDump | Generates crash dumps. Commonly used to dump the contents of Local Security Authority Subsystem Service, LSASS.exe. | T1003.001 |
Microsoft Sysinternals PsExec | Execute a command-line process on a remote machine. | S0029 |
Mimikatz | Extracts credentials from system. | S0002 |
Ngrok | Legitimate remote-access tool abused to bypass victim network protections. | S0508 |
PuTTY Link (Plink) | Can be used to automate Secure Shell (SSH) actions on Windows. | T1572 |
Rclone | Command-line program to manage cloud storage files | S1040 |
SoftPerfect Network Scanner | Performs network scans. | T1046 |
Splashtop | Remote-desktop software. | T1021.001 |
WinSCP | SSH File Transfer Protocol client for Windows. | T1048 |
The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.
LockBit 3.0 Black Icon
LockBit 3.0 Wallpaper
LockBit Command Line Parameters
LockBit Parameters | Description |
---|---|
-del |
Self-delete. |
-gdel |
Remove LockBit 3.0 group policy changes. |
-gspd |
Spread laterally via group policy. |
-pass (32 character value) |
(Required) Password used to launch LockBit 3.0. |
-path (File or path) |
Only encrypts provided file or folder. |
-psex |
Spread laterally via admin shares. |
-safe |
Reboot host into Safe Mode. |
-wall |
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note. |
When executed, LockBit 3.0 will create the mutex, Global
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.
LockBit 3.0 Icon
Registry Key | Value | Data |
---|---|---|
HKCR. |
(Default) |
|
HKCR |
(Default) |
C:ProgramData |
LockBit 3.0 Wallpaper
Registry Key | Value | Data |
---|---|---|
HKCUControl PanelDesktopWallPaper |
(Default) |
C:ProgramData |
Disable Privacy Settings Experience
Registry Key | Value | Data |
---|---|---|
SOFTWAREPoliciesMicrosoftWin dowsOOBE |
DisablePrivacyE xperience |
0 |
Enable Automatic Logon
Registry Key | Value | Data |
---|---|---|
SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon |
AutoAdminLogon |
1 |
|
DefaultUserName |
|
|
DefaultDomainNa me |
|
|
DefaultPassword |
|
Disable and Clear Windows Event Logs
Registry Key | Value | Data |
---|---|---|
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * |
Enabled |
0 |
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * ChannelAccess |
ChannelAccess |
AO:BAG:SYD:(A;;0x1;; ;SY)(A;;0x5;;;BA)(A; ;0x1;;;LA) |
LockBit 3.0 File Path Locations |
---|
ADMIN$Temp |
%SystemRoot%Temp |
|
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:
Operating System | Safe Mode with Networking command |
---|---|
Vista and newer |
bcdedit /set {current} safeboot network |
Pre-Vista |
bootcfg /raw /a /safeboot:network /id 1 |
Operating System | Disable Safe mode reboot |
---|---|
Vista and newer |
bcdedit /deletevalue {current} safeboot |
Pre-Vista |
bootcfg /raw /fastdetect /id 1 |
The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:
NetworkShares.xml |
---|
Services.xml stops and disables services on the Active Directory (AD) hosts.
Services.xml |
---|
The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.
Registry Key | Registry Value | Value type | Data |
---|---|---|---|
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffsetDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh Time |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffset |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
EnableSmartScreen |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
**del.ShellSmartSc reenLevel |
REG_S Z |
|
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableAntiSpyware |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableRoutinelyTa kingAction |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableRealtimeMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableBehaviorMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SubmitSamplesConse nt |
REG_D WORD |
2 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SpynetReporting |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallDomainProfile |
EnableFirewall |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallStandardProfile |
EnableFirewall |
REG_D WORD |
0 |
Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.
Force GPUpdate Powershell Command |
---|
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0} |
vss | sql | svc$ |
memtas | mepocs | msexchange |
sophos | veeam | backup |
GxVss | GxBlr | GxFWD |
GxCVD | GxCIMgr |
sql | oracle | ocssd |
dbsnmp | synctime | agntsvc |
isqlplussvc | xfssvccon | mydesktopservice |
ocautoupds | encsvc | firefox |
tbirdconfig | mydesktopqos | ocomm |
dbeng50 | sqbcoreservice | excel |
infopath | msaccess | mspu |
onenote | outlook | powerpnt |
steam | thebat | thunderbird |
visio | winword | wordpad |
notepad |
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.
Example of HTTP POST request POST |
Mozilla/5.0 (Windows NT 6.1) |
AppleWebKit/587.38 (KHTML, like Gecko) |
Chrome/91.0.4472.77 |
Safari/537.36 | Edge/91.0.864.37 | Firefox/89.0 |
Gecko/20100101 |
See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Initial Access | ||
---|---|---|
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means of gaining initial access. |
Exploit External Remote Services | T1133 | LockBit 3.0 actors exploit RDP to gain access to victim networks. |
Drive-by Compromise | T1189 | LockBit 3.0 actors gain access to a system through a user visiting a website over the normal course of browsing. |
Exploit Public-Facing Application | T1190 | LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain access to victims’ systems. |
Phishing | T1566 | LockBit 3.0 actors use phishing and spearphishing to gain access to victims' networks. |
Execution | ||
Technique Title | ID | Use |
Execution | TA0002 | LockBit 3.0 launches commands during its execution. |
Software Deployment Tools | T1072 | LockBit 3.0 uses Chocolatey, a command- line package manager for Windows. |
Persistence | ||
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 uses a compromised user account to maintain persistence on the target network. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for persistence. |
Privilege Escalation | ||
Technique Title | ID | Use |
Privilege Escalation | TA0004 | Lockbit 3.0 will attempt to escalate to the required privileges if current account privileges are insufficient. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for privilege escalation. |
Defense Evasion | ||
Technique Title | ID | Use |
Obfuscated Files or Information | T1027 | LockBit 3.0 will send encrypted host and bot information to its C2 servers. |
Indicator Removal: File Deletion | T1070.004 | LockBit 3.0 will delete itself from the disk. |
Execution Guardrails: Environmental Keying | T1480.001 | LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered. |
Credential Access | ||
Technique Title | ID | Use |
OS Credential Dumping: LSASS Memory | T1003.001 | LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of LSASS.exe. |
Discovery | ||
Technique Title | ID | Use |
Network Service Discovery | T1046 | LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks. |
System Information Discovery | T1082 | LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. |
System Location Discovery: System Language Discovery | T1614.001 | LockBit 3.0 will not infect machines with language settings that match a defined exclusion list. |
Lateral Movement | ||
Technique Title | ID | Use |
Remote Services: Remote Desktop Protocol | T1021.001 | LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral movement. |
Command and Control | ||
Technique Title | ID | Use |
Application Layer Protocol: File Transfer Protocols | T1071.002 | LockBit 3.0 uses FileZilla for C2. |
Protocol Tunnel | T1572 | LockBit 3.0 uses Plink to automate SSH actions on Windows. |
Exfiltration | ||
Technique Title | ID | Use |
Exfiltration | TA0010 | LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. |
Exfiltration Over Web Service | T1567 | LockBit 3.0 uses publicly available file sharing services to exfiltrate a target’s data. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. |
Impact | ||
Technique Title | ID | Use |
Data Destruction | T1485 | LockBit 3.0 deletes log files and empties the recycle bin. |
Data Encrypted for Impact | T1486 | LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources. |
Service Stop | T1489 | LockBit 3.0 terminates processes and services. |
Inhibit System Recovery | T1490 | LockBit 3.0 deletes volume shadow copies residing on disk. |
Defacement: Internal Defacement | T1491.001 | LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively. |
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI is seeking any information that can be legally shared, including:
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]
Actions to take today to mitigate malicious cyber activity:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].
When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp
directory. The malicious files were then executed from the C:WindowsTemp
directory via the w3wp.exe
process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.
CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll
(e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll
).
The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png
, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.
In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp
directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe
process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.
Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe
process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162
or 45.77.212[.]12
. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:
.dll
extension in the C:WindowsTemp
directory on the server. TA1 may use this capability to hide additional malicious activity on the network.CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:
IP Address |
First Identified |
Last Identified |
137.184.130[.]162 |
09/26/2022 |
10/08/2022 |
45.77.212[.]12 |
10/07/2022 |
11/25/2022 |
104.225.129[.]102 |
10/10/2022 |
11/16/2022 |
149.28.85[.]24 |
10/12/2022 |
10/17/2022 |
185.186.245[.]72 |
10/18/2022 |
10/18/2022 |
193.8.172[.]113 |
09/25/2022 |
09/25/2022 |
193.8.172[.]13 |
09/25/2022 |
10/17/2022 |
216.120.201[.]12 |
10/13/2022 |
11/10/2022 |
5.34.178[.]246 |
09/25/2022 |
09/25/2022 |
79.133.124[.]242 |
09/25/2022 |
09/25/2022 |
92.38.169[.]193 |
09/27/2022 |
10/08/2022 |
92.38.176[.]109 |
09/12/2022 |
09/25/2022 |
92.38.176[.]130 |
09/25/2022 |
10/07/2022 |
TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word]
nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]
As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp
directory that TA2 executed via the w3wp.exe
process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.
IP Address |
Resolving Domains |
---|---|
184.168.104[.]171 |
xework[.]com xegroups[.]com hivnd[.]com |
144.96.103[.]245 |
xework[.]com |
Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe
and writing new files as xesvrs[.]exe
to invoke reverse shell utilities execution.
Filename |
Description |
---|---|
XEReverseShell.exe |
DLL files (masqueraded as PNG files) located in the When executed, the reverse shell utility attempts to connect to Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection. |
Multi-OS_ReverseShell.exe |
Reverse shell utility decoded from the base64 encoded file When executed, it will attempt to connect to |
SortVistaCompat |
Base64 encoded payload dropped from |
When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe
) that attempts to pull a C2 IP address and port number from xework[.]com
or xegroups[.]com
.
If communication is established between the TA2 malware and the C2:
xesetshell
, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp
directory.xequit
, causing the malware to sleep for a period of time determined by the threat actors.The two files xesmartshell.tmp
and SortVistaCompat
have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt
decoded [T1140] as small.aspx
[T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.
For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.
See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Reconnaissance |
||
---|---|---|
ID |
Use |
|
Active Scanning: Vulnerability Scanning |
Actors were observed conducting active scanning activity for vulnerable devices and specific ports. |
|
Initial Access |
||
Technique Title |
ID |
Use |
Exploit Public-Facing Application |
Actors exploited a known vulnerability in the Microsoft IIS server. |
|
Persistence |
||
Technique Title |
ID |
Use |
Server Software Component: Web Shell |
TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands. |
|
Defense Evasion |
||
Technique Title |
ID |
Use |
Masquerading: Match Legitimate Name or Location |
Actors leveraged the legitimate |
|
Process Injection: DLL Injection |
Actors loaded newly created DLLs into a running |
|
Indicator Removal: File Deletion |
TA1’s malware deleted files with ".dll" from the |
|
Indicator Removal: Timestomp |
Actors modified file time attributes to insert misleading creation dates. |
|
Decode Files |
The base64 encoded text file |
|
Discovery |
||
Technique Title |
ID |
Use |
File and Directory Discovery |
Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information. TA1’s malware enumerates systems, processes, files, and directories. |
|
System Network Configuration Discovery |
TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server. |
|
Command and Control |
||
Technique Title |
ID |
Use |
Ingress Tool Transfer |
TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the |
|
Non-Application Layer Protocol |
Actors used a non-application layer protocol (TCP) for |
CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.
CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.
rule CISA_10424018_01 {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10424018"
Date = "2023-02-07"
Last_Modified = "20230216_1500"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects open-source exploit samples"
SHA256 = "n/a"
strings:
$s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
$s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
$s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
$s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
$s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
$s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
$s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
$s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
$s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
$s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
$s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}
CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.
CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:WindowsTemp
directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe
process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.
Forensic analysis commonly identified the threat actors taking the following steps:
C:WindowsTemp1665890187.8690152.dll
) by process w3wp.exe
PID 6484.w3wp.exe
PID 6484. w3wp.exe
PID 6484 to 45.77.212[.]12
over port 443.C:WindowsSystem32vcruntime140.dll
(Windows C runtime library) to execute payload.Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12
correlates to TA1, but the pattern can be used as general practice to identify similar activity.
The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.
When this CVE is exploited, it uploads malicious DLL files to the C:WindowsTemp
directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.
The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll
Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: d{10}.d{1,8}.dll
These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.
When investigating IIS logs, specific fields were searched for and captured during the time of each connection.
If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.
The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]
General Name |
Field Name |
Description |
Method |
cs-method |
Requested action; for example, a GET method |
URI Stem |
cs-uri-stem |
Universal Resource Identifier (URI), or target, of the action |
URI Query |
cs-uri-query |
The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages. |
Protocol Status |
sc-status |
Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code |
Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.
When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).
Example: cs_method instead of cs-method
Field Name |
Artifact |
---|---|
cs-method |
POST |
>cs-uri-stem |
/Telerik.Web.UI.WebResource.axd |
cs-uri-query |
type=rau |
sc-status |
200 and 302 |
When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.
Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.
EventID |
Payload |
---|---|
1309 |
3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type 'System.Configuration.Install.AssemblyInstaller' to type 'Telerik.Web.UI.IAsyncUploadConfiguration'.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n","Binary":""}} |
Authoring organizations recommend looking for the following key strings in the payload:
w3wp.exe
: This is the parent process that executes the code inside the malicious DLLs.System.Configuration.Install.AssemblyInstaller
: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.
EventID |
ExecutableInfo |
MapDescription |
Payload |
---|---|---|---|
1000 |
w3wp.exe |1664175639.65719.dll |c:windowssystem32inetsrvw3wp.exe |C:WindowsTemp1664175639.65719.dll |
Application Error |
{"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\windows\system32\inetsrv\w3wp.exe, C:\Windows\Temp\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}} |
1001 |
w3wp.exe |1664175639.65719.dll |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |
Application Crash |
{"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, nC:\Windows\Temp\WERE3F6.tmp.appcompat.txtnC:\Windows\Temp\WERE639.tmp.WERInternalMetadata.xmlnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\memory.hdmpnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\triagedump.dmp, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}} |
The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.
Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.
When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:
w3wp.exe
in Windows security event logs (e.g., Windows EventID 4688 New Process created).If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:
Field |
Value Begins With |
---|---|
TextAtLowestOffset |
MZ |
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935
Google’s Threat Analysis Group (TAG) contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |