LockBit 3.0 loads Cobalt Strike through Windows DefenderSecurity Affairs
An Operation LockBit 3.0 RaaS affiliate abused the Windows Defender command-line tool to deploy Cobalt Strike payloads.
During a recent investigation, SentinelOne researchers observed threat actors associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation abusing Windows Defender command-line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
Attackers initially compromise target networks by exploiting the Log4j vulnerability affecting an unpatched VMWare Horizon server. The attackers modified the Blast Secure Gateway component of the application by installing a web shell using the PowerShell code detailed here.
Once they gained a foothold in the target system, the attackers executed a series of enumeration commands and attempted to run several post-exploitation tools including Meterpreter, PowerShell Empire and used a new technique to load Cobalt Strike.
“In particular, while attempting to run Cobalt Strike, we observed a new legitimate tool being used to sideload a malicious DLL, which decrypts the payload.” reads the analysis published by SentinelOne. “Previously observed techniques to evade defenses by removing user hooks from EDR/EPP, Event Tracing for Windows, and Antimalware Scan Interface have also been observed.”
SentinelOne emphasizes the importance of sharing information about exploiting new “live off the land” tools to drop Cobalt Strike beacons and evade detection from mainstream security solutions.
MpCmdRun.exe is a command-line tool used to perform various functions in Microsoft Defender Antivirus, including scanning for malware, collecting diagnostic data, and restoring service to a previous version, among others.
“It’s important to note that the tools that need to be scrutinized are those for which the organization or the organization’s security software has made exceptions. Products like VMware and Windows Defender have a high prevalence in the enterprise and great utility for threat actors if they are allowed to operate outside of installed security controls. concludes the analysis.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, LockBit 3.0)