Hamburger Menu Icon
Yoroi Background

Hunting the LockBit Gang's Exfiltration Infrastructures


Nowadays ransomware operators have consolidated the double extortion practice by mastering data exfiltration techniques. From time to time, we observed many threat actors approach the data theft in diverse ways, some prefeed to rely on legit services and tools such as RClone, FTP sites, and some through VPN channels, but others also with customized tools.  

Also, during the last months the LockBit gang (TH-276) decided to develop and evolve a custom tool specialized in data exfiltration and used as a peculiar element to distinguish their criminal brand. In fact, the StealBit 2.0 tool is part of the toolset the gang offers to their crooks to overcome the difficulties of massive data theft: an out-of-the-box tool ready to be used against the target company next to the LockBit 2.0 encryption tool. 

From an intelligence perspective, understand the mechanisms and the infrastructure behind this tool is particularly valuable, especialy to early detect animminent ransomware impact. For this reason, Yoroi Malware ZLAB dissected a recent version of StealBit, tracking down the infrastructures abused by the infamous tool, configured there by the cyber criminals (Stealbit-Configuration-Decryptor available). 

Technical Analysis 

The initial sample we have chosen to start our investigation has the following static information: 

Hash 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d 
Threat StealBit 
Brief Description Exfiltration utility adopted by lockbit gang during their cyber intrusions 
Filesize 52.7 KB 
Ssdeep 768:FXPkQ2Csnwhxvfhko88yb6cvXbhb7vJawOuArU1o/xnmGP:YLqvZko9ybpvrtvJa/uArU+5nNP 

Table 1: Static information about the sample 

Analyzing the malicious component, we immediately noticed the lack of metadata in the PE fields. In fact, we obtained few data: the bitness, entry point, the compiler timestamp, and not much more than the DOS header. Something huge is missing. 

Figure 1: Static information about the sample 

In fact, the "imphash" section is not available in the sample. Surprisingly, this is not an error of the tool. The import table of the sample is completely void, empty, no Windows API listed. At this point, we decided to deep inside the code to understand the internals of the sample. 

Anti-Debug Techniques

Anyway, the lack of system API does not prevent malware developers from protecting their code. So, one of the first things the StealBit sample does just after the entry point is implementing a low-level anti-analysis technique. 

Figure 2: Simple Anti-Debug Routine 

It is an anti-debug technique documented in many open source resources. The technique is based on the checking of specific values in Process Environment Block (PEB), a data structure in the Windows NT operating systems used to contain information about the execution of a specific process. One of the flags contained inside the PEB is "NtGlobalFlags”: this value is accessed through the following opcodes. 

mov eax, fs:[30h] ; Load the PEB data structure 

mov eax, eax+68h ; Load the value of the “NtGlobalFlags” flag 

Code snippet 1 

If the value in the indicated flag is 0x70, it means that the process is debugged. In this case, the malware loops at the same instruction, otherwise it goes with its malicious activities. 

The Runtime Loading of APIs and Libraries  

As previously stated, the malware has an empty import address table, so it needs to load the required libraries to perform its malicious activities. Even when no IAT entry is present the operating system loads the three basic DLLs: 

Figure 3: Automatic import of the base Windows libraries 

To load all the rest of the system API needed to exfiltrate data, StealBit hides the native DLL names to import into stack strings. This means the name of the DLL to load is pushed into the running thread stack a char at a time, and then popped out to reconstruct the desired string, just like in the following piece of code: 

Figure 4: Example of stack-strings loading 

In this case, the reconstructed string is "ws2_32.dll", a native library for internet communication. Instead, the stack-strings of the other libraries loaded by StealBit are the following:  

Figure 5: DLLs to load 

Stack string obfuscation was extensively used across the sample, so we automatized the extraction process, and the results are reported in Appendix 1. 

Data Exfiltration 

When the Command and Control correctly responds to the malware, it starts its exfiltration routine, performed by using the HTTP method PUT and the implemented method is designed to be as fast as possible: 

Figure 6: Piece of the Exfiltration C2 Communication  

So, we decided to deepen the communication routine and we isolated all the fields of the request. The principal fields of the request are the following: 

  • PUT: HTTP PUT Method 
  • File Hash: indicates the file to put on the server  
  • HTTP classic headers 
  • DAV2 Constant Header: The body of the request starts with the DAV2 key 
  • The Config ID: (which we’ll explain in the next paragraph) 
  • The complete file name of the exfiltrated file 
  • The content of the file in cleartext 

An example of the construction of the malicious request is the following: 

Figure 7: HTTP PUT request construction 

Despite what LockBit gang advertises, their StealBit does not actually compress the file extracted by the system. In fact, the malware selectively uploads all the files reachable on the target machine except system files, registry hives, scripts and files matching specific extensions such as .cmd, .msi, .ocx, .cpl , .hta, .lnk, .exe , .dll, etc. .  

The full list of file exclusions is available on Appendix 1. 

Configuration Extraction  

One of the most interesting points of malware was the static configuration protection mechanism in place. During the analysis we isolated the piece of code containing the routine adopted by the malicious developers to decrypt the StealBit configuration. 

Figure 8: Configuration decoding routine 

This piece of code contains a neat algorithm to decrypt the configuration of the StealBit sample. It reads a small 8-byte key to decode the byte-chuck starting from the offset 0x40E250 (see above). The loop ends when all 124 bytes are decoded. In the following picture we can see the before and the after of the configuration: 

Figure 9: Before and after of the decoding process 

The configuration chunk is composed of two parts: the first one is a 5-characters ID, probably identifying the victim or the current campaign, and the other chunk is a series of IP addresses to be contacted by the exfiltration tool. These remote IPs are the addresses of the infrastructure used by the threat actor to exfiltrate the data from the targeted companies. 

Hunting the Samples  

At this point, we created a Yara rule (see "Yara Rules" section) matching the configuration decrypting routine and automated the decoding of the static configurations of the StealBit samples in the wild using the Stealbit-Configuration-Decryptor. At the time of writing, we were spotted these samples: 

Retrieved Hashes 

Table 2: Retrieved hashes from Yara Hunting 

These samples have a perfect code similarity with the original one and the only difference is properly the configuration chuck. 

Figure 10: Binary Diff analysis of two samples 

The result of the static configuration extraction from this first in-the-wild StealBit sample set is reported in the following table. 

Hash Compilation Time ID IPs 
07a3dcb8d9b062fb480692fa33d12da05c21f544492cbaf9207956ac647ba9ae 2021-07-12 04:58:17 84AFC 93[.]190[.]143[[.]101 139[.]60[.]160[.]200 193[.]162[.]143[.]218 193[.]38[.]235[.]234 45[.]227[.]255[.]190 
107d9fce05ff8296d0417a5a830d180cd46aa120ced8360df3ebfd15cb550636 2021-07-31 07:09:59 J29EV 93[.]190[.]139[.]223 168[.]100[.]11[.]72 139[.]60[.]160[.]200 193[.]38[.]235[.]234 174[.]138[.]62[.]35 
2f18e61e3d9189f6ff5cc95252396bebaefe0d76596cc51cf0ade6a5156c6f66 2021-07-31 07:09:59 D26VN 174[.]138[.]62[.]35 93[.]190[.]143[.]101 139[.]60[.]160[.]200 193[.]38[.]235[.]234 193[.]162[.]143[.]218 
3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d 2021-07-31 07:09:59 LCPA0 88[.]80[.]147[.]102 168[.]100[.]11[.]72 139[.]60[.]160[.]200 193[.]38[.]235[.]234 174[.]138[.]62[.]35 
4db7eeed852946803c16373a085c1bb5f79b60d2122d6fc9a2703714cdd9dac0 2021-07-12 04:58:17 4ATGY 139[.]60[.]160[.]200 193[.]38[.]235[.]234 193[.]162[.]143[.]218 45[.]227[.]255[.]190 185[.]215[.]113[.]39 
bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e 2021-07-31 07:09:59 D26VN 174[.]138[.]62[.]35 93[.]190[.]143[.]101 139[.]60[.]160[.]200 193[.]38[.]235[.]234 193[.]162[.]143[.]218 
ced3de74196b2fac18e010d2e575335e2af320110d3fdaff09a33165edb43ca2 2021-07-12 04:58:17 84AFC 93[.]190[.]143[.]101 139[.]60[.]160[.]200 193[.]162[.]143[.]218 193[.]38[.]235[.]234 45[.]227[.]255[.]190 

Table 3: Automatic configuration extraction from the hunted samples 

The Exfiltration Infrastructure 

Once extracted the remote IP address hard-coded into the static configurations of the StealBit samples, we analyzed the exfiltration infrastructure from a threat intelligence point of view, tracking down past malicious activities related to those IPs. We noticed that some of them have been used in the past operation for other malicious purposes such as the distribution of mobile malware, or phishing attempts to banks etc., by actors unrelated to the LockBit gang and ransomware practice in general. 

The connection between these different operations is still unclear and weak, in fact, different criminal organizations could have been accidentally chosen the same providers due to their potential lack of collaboration with western authorities, but also - at least in the 168.100.11[.72 case - the same remote address was used to conduct phishing operations in Italy and ransomware data exfiltration in adjacent same time spans. 

IP Count Whois  
(NetName and Country) 
139.60.160[.200 HOSTKEY-USA US  
168.100.11[.72 BLNETWORKS-01 US Phishing to Italian banks between 12 – 24 Aug 2021 
174.138.62[.35 DIGITALOCEAN-174-138-0-0 US  
185.215.113[.39 SC-ELITETEAM-20201113 SC Distrubution of mobile banking malware in Feb21 
193.162.143[.218 FirstByte RU  
193.38.235[.234 VDSINA-NET RU RDP with machine name WIN-R84DEUE96RB and before WIN-5ODCFIGQRP3 in Aug21 
45.227.255[.190 Okpay Investment Company PA-OICO-LACNIC MongoDB scanning and exploitation in APR20 
88.80.147[.102 BelCloud-net BG  
93.190.143[.101 WORLDSTREAM NL Reported as Spam vector in 2020 
93.190.139[.223 WORLDSTREAM NL  

Table 4: Information about the infrastructure  


Data exfiltration tools are getting more popular in the cyber-criminal ecosystem. LockBit gang leveraged this kind of tools to distinguish from other ransomware operators and attract malicious affiliates in their criminal business, and today LockBit is one of the most active and violent threat groups operating the double extortion practice. Securing company data is nowadays a huge challenge and the proliferation of massive data theft tools like StealBit are an emergent threat.  

Tracking down the adversary infrastructure is a relevant effort, by we believe it is necessary to help the security community to fight and pursue such criminals and protect the Yoroi's customers from data extortion threats. 

Indicators of Compromise 

  • Hash: 
    • 07a3dcb8d9b062fb480692fa33d12da05c21f544492cbaf9207956ac647ba9ae  
    • 2f18e61e3d9189f6ff5cc95252396bebaefe0d76596cc51cf0ade6a5156c6f66  
    • 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d  
    • 4db7eeed852946803c16373a085c1bb5f79b60d2122d6fc9a2703714cdd9dac0  
    • bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e  
    • ced3de74196b2fac18e010d2e575335e2af320110d3fdaff09a33165edb43ca2  
    • 107d9fce05ff8296d0417a5a830d180cd46aa120ced8360df3ebfd15cb550636 
  • Exfiltration: 
    • 139.60.160[.200 
    • 168.100.11[.72 
    • 174.138.62[.35 
    • 185.215.113[.39 
    • 193.162.143[.218 
    • 193.38.235[.234 
    • 45.227.255[.190 
    • 88.80.147[.102 
    • 93.190.143[.101 
    • 93.190.139[.223 

Yara Rule 

rule stealbit_decode { 



     		description = "Yara Rule for StealBit Configuration decryption"  

      		author = "Yoroi Malware Zlab"  

      		last_updated = "2021_09_01"  

      		tlp = "white"  

      		category = "informational"  



$Offset = { ff 17 18 19 20 00 00 00 00 00 00 } 

$decode_Conf = { 8b c1 83 e0 0f 8a 8? ?? ?? ?? ?? 30 8? ?? ?? ?? ?? 41 83 f9 7c  } 



all of them 


Suricata Rule 

TLP:AMBER - accessible by Trusted Introducer CSIRT Network Members

Appendix 1 - Extraction of Stack Strings 

Function Written at Offset              String     
0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x4036C0 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x404DEC 0x4059ED 0x4059ED 0x408A81 0x4093EB 0x409A30  0x4037D3 0x4037E1 0x4037E8 0x4037EF 0x4037FD 0x403804 0x403812 0x4038DB 0x4038E2 0x4038E9 0x4038F0 0x4038F7 0x4038FE 0x40391E 0x403961 0x403A19 0x403A20 0x403A2E 0x403A43 0x403A63 0x403AC5 0x403AF6 0x403B27 0x403B4E 0x403BA6 0x403BE8 0x403C0F 0x403C36 0x403C64 0x403C8B 0x403CBC 0x403CFF 0x403D26 0x403D4D 0x403D7E 0x403DAF 0x403DE0 0x403E1F 0x403E80 0x403E87 0x403E8E 0x403EAE 0x403ED5 0x403F06 0x403F5E 0x403F8C 0x403FB3 0x403FD0 0x403FFA 0x40407C 0x40408A 0x404191 0x404198 0x40419F 0x4041A6 0x4041BB 0x4041C9 0x4041D0 0x4042C4 0x4042D2 0x4043CA 0x4043D2 0x4043E0 0x4043F5 0x404B32 0x404B36 0x404B36 0x404B50 0x404B50 0x404BB9 0x404BB9 0x404C0A 0x404C27 0x404C27 0x404C8F 0x404E79 0x404EA2 0x404EE7 0x404F00 0x404F83 0x40501B 0x40508E 0x4050B5 0x4050C7 0x40515D 0x4051A9 0x4052F2 0x405380 0x405387 0x4053DD 0x405455 0x405486 0x4054B3 0x405512 0x4055A4 0x405650 0x4056C9 0x4056D7 0x405A28 0x405A80 0x408A8F 0x409442 0x409B2F  0x33C 0x348 0x354 0x360 0x9C 0xA8 0xB4 0xC0 0x330 0xD8 0xE4 0xF0 0xFC 0x108 0x114 0x120 0x12C 0x138 0x150 0x15C 0x168 0x174 0x180 0x18C 0x1A4 0x1B0 0x1BC 0x1C8 0x1D4 0x1E0 0x1EC 0x1F8 0x204 0x210 0x21C 0x228 0x234 0x240 0x24C 0x258 0x264 0x270 0x27C 0x288 0x294 0x2A0 0x2AC 0x2B8 0x2C4 0x2D0 0x2DC 0x324 0x2E8 0x2F4 0x300 0x30C 0x318 0x36C 0x3B8 0x394 0x20 0x3A4 0x384 0xC 0xC 0x90 0x90 0x70 0x70 0x38 0x38 0x20 0x54 0x54 0x3E4 0x18 0x88 0x128 0x144 0x160 0xF4 0xDC 0x64 0xC 0xC4 0x258 0x34 0x9C 0x1DC 0x10C 0x74 0x198 0x54 0x200 0x224 0x17C 0x24 0x1B8 0x10 0x1C 0x5C 0x74 0x28  .386  .cmd  .ani  .adv  .msi  .msp  .com  .nls  .ocx  .mpa  .cpl  .mod  .hta  .prf  .rtp  .rdp  .bin  .shs  .wpx  .bat  .rom  .msc  .spl  .ps1  .ics  .key  .exe  .dll  .lnk  .ico  .hlp  .sys  .drv  .cur  .idx  .ini  .reg  .mp3  .mp4  .apk  .ttf  .otf  .fon  .fnt  .css  .dmp  .tmp  .pif  .wav  .wma  .dmg  .iso  .app  .ipa  .xex  .wad  .msu  .icns  .lockbit  .theme  .msstyles  .gadget  .woff  .part  ntldr  ntuser.diagcfg  ntuser.dat.log  boot.diagpkg  bootsect.bak  au.sfcache  autorun.inf  thumbs.db  icon.diagcab  iconcache.db  restore-my-files.txt  intel  msocache  $windows.~bt  $recycle.bin  $windows.~ws  tor browser  windows nt  msbuild  boot  all users  system volume information  google  perflogs  application data  windows.old  mozilla  microsoft.net  appdata  microsoft shared  internet explorer  common files  opera  windows journal  %s\*  %s\%s  Microsoft Base Cryptographic Provider v1.0  \??\pipe\STEALBIT-MASTER-PIPE  DAV2  

Appendix 2 - Decoder 

Stealbit-Configuration-Decryptor available on Yoroi Malware ZLAB public GitHub repository. 

This blop post was authored by Luigi Martire and Luca Mella of Yoroi Malware ZLAB

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram