Threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide. Behind the attacks appears to be a new ransomware gang called LockFile.

LockFile threat actor seems to rely on publicly available code to exploit the original PetitPotam (tracked as CVE-2021-36942) variant.

In LockFile’s attack chain, the hackers typically spend at least several days on the network before detonating the file-encrypting malware, typical for this kind of attacks. Compromising the victim’s Exchange server, the attacker runs a PowerShell command that downloads a file from a remote location.

Final stage of the attack, 20 to 30 minutes before deploying the ransomware, the threat actor proceeds to take over the domain controller by installing on the compromised Exchange server the PetitPotam exploit and two files:

  • active_desktop_render.dll
  • active_desktop_launcher.exe (legitimate KuGou Active Desktop launcher)

The legitimate KuGou Active Desktop launcher is abused to perform a DLL hijacking attack to load the malicious DLL to evade detection by security software. The DLL tries to load and decrypt a file called “desktop.ini” that contains shellcode. Symantec has not retrieved the file for analysis but says that a successful operation ends with running the shellcode.

“The encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam”

The final step is to copy the LockFile ransomware payload on the local domain controller and push it across the network with the help of a script and executables that run on client hosts immediately after authentication to the server.