LockBit Ransomware Abus Windows Defender to Implement Cobalt Strike Payload


A threat actor associated with the LockBit 3.0 Ransomware-as-a-service (RaaS) has been observed to abuse the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

According to a report published by SentinelOne last week, the incident occurred after gaining initial access through the Log4Shell vulnerability against an unpatched VMware Horizon Server.

“Once initial access was obtained, the threat actors executed a series of bullet commands and attempted to run multiple post-exploit tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,” researchers Julio Dantas, James Haughom and Julien Reisdorffer said.

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!”, is the next iteration of the prolific LockBit RaaS family who emerged in June 2022 to smooth out critical weaknesses discovered in its predecessor.

It is notable for being the very first bug bounty for a RaaS program. In addition to a revamped leak site to name and shame non-compliant targets and publish extracted data, it also includes a new search function to make it easier to find specific victim data.

The use of living-off-the-land (LotL) techniques by cyber intruders, where legitimate software and features available in the system are used for post-exploitation, is not new and is usually seen as an attempt to avoid detection by security software. to bypass.

Earlier this April, it was revealed to have a LockBit branch: leverage a VMware command line tool called VMwareXferlogs.exe to remove Cobalt Strike. What is different this time is using MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command line tool to perform various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

In the incident analyzed by SentinelOne, the first access was followed by downloading a Cobalt Strike payload from a remote server, which was then decrypted and loaded using the Windows Defender utility.

“Tools that should be carefully examined are those for which the organization or the organization’s security software has made exceptions,” the researchers said.

“Products such as VMware and Windows Defender have a high prevalence in the enterprise and have great utility in threatening actors if they are allowed to operate outside of installed security controls.”

The findings come as initial access brokers (IABs) are actively selling access to corporate networks, including managed service providers (MSPs), to other threat actors for profit, in turn providing a way to compromise downstream customers.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the UK and the US warned against attacks that weaponize vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with cascading effects worldwide”.

“MSPs remain an attractive target in the supply chain for attackers, especially IABs,” said Huntress researcher Harlan Carvey. saidurging companies to secure their networks and implement multi-factor authentication (MFA).