LockBit operator abuses Windows Defender to load Cobalt Strike

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-windows-defender-to-load-cobalt-strike/

A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.

Cobalt Strike is a legitimate penetration testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it.

However, security solutions have become better at detecting Cobalt Strike beacons, causing threat actors to look for innovative ways to deploy the toolkit.

In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons.

The initial network compromise in both cases was conducted by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code.

Side-loading Cobalt Strike beacons on compromised systems isn’t new for LockBit, as there are reports about similar infection chains relying on the abuse of VMware command line utilities.

LockBit operator abuses Windows Defender to load Cobalt Strike

Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.

www.bleepingcomputer.com

 

[Andy Ful]

The title of the article can be incorrectly understood. This attack does not abuse Windows Defender protection. It can be performed with any Anti Virus installed, because the LOLBin MpCmdRun is a part of the Windows system.
Such attacks are strictly related to Enterprises. The DLL side-loading via abusing outdated & vulnerable legitimate tools is commonly used there for persistence and masquerading. The attackers intentionally choose the outdated binaries of Antivirus (Microsoft Defender, McAfee, Kaspersky, Symantec, etc.) or software popular in Enterprises (Citrix, Google, Java, Microsoft, VMware, etc.) - the purpose is to hide under something that looks normal among many administrative events.



Many examples can be found here:

Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise | MITRE ATT&CK®

attack.mitre.org

Anyway, the attacks via DLL side loading can be used also against home users to avoid some anti-0-day security layers (like SmartScreen, some ASR rules, Avast CyberCapture, etc.). But then, the attackers will not use the executables related to AVs, but rather outdated & vulnerable versions of applications used at home.