Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

SUMMARY :

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious DLLs, exploiting trusted programs. Masquerading tactics include renaming malicious files, spoofing process names, and using legitimate icons to blend in with system processes. Recent attacks have utilized trusted applications like Jarsigner.exe, MpCmdRun.exe, and Clink_x86.exe alongside malicious DLLs. The attack chain encompasses initial access, privilege escalation, discovery, credential theft, lateral movement, and impact stages. Attackers employ various tools and techniques, including remote desktop access, NSSM, PsExec, and PowerShell scripts for file encryption.

OPENCTI LABELS :

ransomware,lockbit,evasion,encryption,persistence,dll sideloading,masquerading


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics