Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data

    Thursday, October 17, 2024 In: Threat Research Print

    Date: 10/17/2024

    Severity: Critical

    Summary

    Threat actors are increasingly exploiting cloud service providers for various malicious activities, including infostealer development and data exfiltration. In this instance, the ransomware samples we analyzed included hard-coded AWS credentials, specific to one threat actor, while generally, ransomware developers use various online services. We also examined Go (Golang) ransomware samples targeting Windows and macOS environments. Most samples featured hard-coded AWS credentials, with stolen data uploaded to an Amazon S3 bucket controlled by the attackers.

    Indicators of Compromise (IOC) List

    Hash

    023aff64a9ecdc012621966e1c1e5bd5957c0afcd8394bc9b2be4d77adc934db

06fbf383637bd94226b8257dfbd88576a1a9dca1dac8b900a20d96f39cd1475f

0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430

0ce98929d8a49d43476263be704aaff40b02968ca423bc4f0da89e738e9da9da

1350b1dce81952d9cca595eab8c77ea29ba46f7aa4df28f066110b14895a630c

14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31

17b7e5ac105cfafca07691b97689c97a9c4e2b0e11e22cb1c70d85d0cd37678c

1827bc29f0d1d1a9de9978a7852fd05a415e83d120feda6856bfd987ed2e6622

1a56110c5a9b11380fe8cf145ec051ac5728eb0776b0448ff8b5e6ba8d44a4e1

2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c

35299f1f6bb224e9260a10f72087ba2193316e73eea7b0361ea9ae9b946a5fac

371b772a5c3ac6407d77e6fc3fabb6dbb72ebddfb2ceae77147dfeee63168390

390edcbca4679129932fdeabc71b3181e1ae545d655abc06460ee838d9a11ac9

39d144c97b53eb4ea0b6b76af9e2b5062730c8d134f38e017bd474e5e7af0ab1

3c45b5be997e9250d44ea3d3cfa85a2e341f9b5017eac694ee1d569134fdd4da

573400d5f8a9d85d7205c1f6cf68f395bbb780aa81cd680dcec7b1904025f4d5

744aaf3751291085848beb170cafacc45dfab7daa725037917307b54cc1337cd

7a018c849aa2cadf29c498771b9dfcf478029b61a11b6241cda0ebafff6d8f30

7bfa19a76ae96c1eb630f56c2d4e38f9df62c04cae29755aebf08f71832b7b84

7dbb35453d362309618159b5a796e86a95299dd259be033671705663f378691d

88237de0db05a0bc5b9de9eb77a4e43595de6b8652affc51b9d20ad22012c136

8e404487edabbc46d92f8c63b90ac9f661698a5a96691e255ff576e246bca86c

90c429ebe6c41470f921debcb1b8c3a536b213f7c56d4adccb19a01e471fba04

967375af79a5745a9bc97e0d6513d30b797fe834b0f700f48512e3c89cf35328

9e792606d9060f0988c9615aa785685f8474b50e00ce58c559821066b842b515

9fd4ffc73d7de7fa881fd4de477f74c49b73e2aa117e7f3fb800ef5bf6cf73b8

a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564

aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec

b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e

b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e

bc73cc463ea4f6c0e8d65e28c5a72c474e73176a2dabb18776cb471eb209457e

c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e

cdb2a7767779e0d0efaecfdc1fce41bf51d3677194205d486e8c5a0c4815ee65

cded5f02f06bc64e3aa909f021a35b00740832f5eaf9ffec8ca7be73e74c1152

d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe

dbcfa51d8924096c9df053f9f8e8bfcb9f512d6067e8310e8a4743c55f016593

e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac

e4c59a0b4d209e898572e4fdd6153e6510e92fc16384b71a11f2b68210dd8174

f09f05fdd4dbe9a7b321f0aa4d56ae662e41a63385fd1a1e7f446d4af19a10d4

f0ab7baa3e734451716ab374109453c1c159533023966d9db384f91da7c16f7f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Hash :

    sha256hash IN ("06fbf383637bd94226b8257dfbd88576a1a9dca1dac8b900a20d96f39cd1475f","390edcbca4679129932fdeabc71b3181e1ae545d655abc06460ee838d9a11ac9","7a018c849aa2cadf29c498771b9dfcf478029b61a11b6241cda0ebafff6d8f30","1827bc29f0d1d1a9de9978a7852fd05a415e83d120feda6856bfd987ed2e6622","c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e","39d144c97b53eb4ea0b6b76af9e2b5062730c8d134f38e017bd474e5e7af0ab1","0ce98929d8a49d43476263be704aaff40b02968ca423bc4f0da89e738e9da9da","1350b1dce81952d9cca595eab8c77ea29ba46f7aa4df28f066110b14895a630c","a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564","9fd4ffc73d7de7fa881fd4de477f74c49b73e2aa117e7f3fb800ef5bf6cf73b8","1a56110c5a9b11380fe8cf145ec051ac5728eb0776b0448ff8b5e6ba8d44a4e1","b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e","f0ab7baa3e734451716ab374109453c1c159533023966d9db384f91da7c16f7f","0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430","9e792606d9060f0988c9615aa785685f8474b50e00ce58c559821066b842b515","7bfa19a76ae96c1eb630f56c2d4e38f9df62c04cae29755aebf08f71832b7b84","bc73cc463ea4f6c0e8d65e28c5a72c474e73176a2dabb18776cb471eb209457e","17b7e5ac105cfafca07691b97689c97a9c4e2b0e11e22cb1c70d85d0cd37678c","e4c59a0b4d209e898572e4fdd6153e6510e92fc16384b71a11f2b68210dd8174","dbcfa51d8924096c9df053f9f8e8bfcb9f512d6067e8310e8a4743c55f016593","573400d5f8a9d85d7205c1f6cf68f395bbb780aa81cd680dcec7b1904025f4d5","967375af79a5745a9bc97e0d6513d30b797fe834b0f700f48512e3c89cf35328","3c45b5be997e9250d44ea3d3cfa85a2e341f9b5017eac694ee1d569134fdd4da","e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac","7dbb35453d362309618159b5a796e86a95299dd259be033671705663f378691d","d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe","88237de0db05a0bc5b9de9eb77a4e43595de6b8652affc51b9d20ad22012c136","2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c","023aff64a9ecdc012621966e1c1e5bd5957c0afcd8394bc9b2be4d77adc934db","14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31","35299f1f6bb224e9260a10f72087ba2193316e73eea7b0361ea9ae9b946a5fac","371b772a5c3ac6407d77e6fc3fabb6dbb72ebddfb2ceae77147dfeee63168390","744aaf3751291085848beb170cafacc45dfab7daa725037917307b54cc1337cd","8e404487edabbc46d92f8c63b90ac9f661698a5a96691e255ff576e246bca86c","90c429ebe6c41470f921debcb1b8c3a536b213f7c56d4adccb19a01e471fba04","aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec","cdb2a7767779e0d0efaecfdc1fce41bf51d3677194205d486e8c5a0c4815ee65","cded5f02f06bc64e3aa909f021a35b00740832f5eaf9ffec8ca7be73e74c1152","f09f05fdd4dbe9a7b321f0aa4d56ae662e41a63385fd1a1e7f446d4af19a10d4")

    Reference:

    https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html 


    Tags

    MalwareRansomwareLockbitGolang

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.