2 August 2022

LockBit ransomware sideloads Cobalt strike via Windows Defender


LockBit ransomware sideloads Cobalt strike via Windows Defender

The LockBit ransomware operation is taking advantage of a Microsoft security tool to install Cobalt Strike payloads.

According to security researchers at SentinelOne who spotted the latest developments, the gang is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike beacons.

The finding has been made during the investigation into a recent cybersecurity incident. According to the researchers, the attackers gained initial access through the Log4j vulnerability in the victim’s VMWare Horizon Server and modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code.

The threat actor then performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike.

After establishing access to a target system and gaining the required user privileges, the threat actors leveraged PowerShell to download three files: a clean copy of a Windows CL utility, a DLL file, and a LOG file.

“MpCmd.exe is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file,” the researchers wrote.

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel “living off the land” tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne has warned. “Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”


Back to the list

Latest Posts

Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022
Cloudflare employees also targeted by SMS phishing attack

Cloudflare employees also targeted by SMS phishing attack

The company says that the attack occurred around the same time as Twilio was attacked and was similar in nature.
10 August 2022
Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft had been aware of the DogWalk vulnerability for nearly two years, but deemed it not a security issue.
10 August 2022