The LockBit ransomware operation is taking advantage of a Microsoft security tool to install Cobalt Strike payloads.
According to security researchers at SentinelOne who spotted the latest developments, the gang is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike beacons.
The finding has been made during the investigation into a recent cybersecurity incident. According to the researchers, the attackers gained initial access through the Log4j vulnerability in the victim’s VMWare Horizon Server and modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code.
The threat actor then performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike.
After establishing access to a target system and gaining the required user privileges, the threat actors leveraged PowerShell to download three files: a clean copy of a Windows CL utility, a DLL file, and a LOG file.
“MpCmd.exe is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file,” the researchers wrote.
“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel “living off the land” tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne has warned. “Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”