Jump to content
  • Beware: LockBit actors using Microsoft Defender to infect PCs with Cobalt Strike beacon


    Karlston

    • 618 views
    • 2 minutes
     Share


    • 618 views
    • 2 minutes

    Cybersecurity research company SentinelOne has published news today that should put Microsoft on high alert if it's not already. The former has discovered that the Redmond's giant in-house anti-malware solution is being abused to load Cobalt Strike beacon on to potential victims. The threat actors in this case are LockBit Ransomware as a Service (RaaS) operators and affiliates who are using the dedicated command-line tool in Defender dubbed "mpcmdrun.exe", among other things, to infect victim PCs.

     

    In its blog post describing this new attack, SentinelOne says:

     

    During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

     

    [...]

     

    Notably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

     

    The attack process works pretty much the same way as a previous VMware CLI case. The threat actors essentially exploit the Log4j vulnerability to download the MpCmdRun, the "mpclient" malicious DLL file and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect a potential victim's system.

     

    [...] MpCmd.exe (sic) is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.

     

    As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:

     

    Filename Description

    MpCmdRun.exe

     

    Legitimate/signed Microsoft Defender utility
    mpclient.dll Weaponized DLL loaded by MpCmdRun.exe

    C0000015.log

     

    Encrypted Cobalt Strike payload

     

     

    The following diagram shows the attack chain:

     

    1659129546_lockbit_sideloading_attack_ch

     

    You can find the Indicators of Compromise as well as more technical details on the official blog post here.

     

     

    Beware: LockBit actors using Microsoft Defender to infect PCs with Cobalt Strike beacon


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...