Security News > 2022 > July > LockBit operator abuses Windows Defender to load Cobalt Strike

LockBit operator abuses Windows Defender to load Cobalt Strike
2022-07-29 14:29

A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.

Security solutions have become better at detecting Cobalt Strike beacons, causing threat actors to look for innovative ways to deploy the toolkit.

In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender's command line tool "MpCmdRun.exe" to side-load malicious DLLs that decrypt and install Cobalt Strike beacons.

Side-loading Cobalt Strike beacons on compromised systems isn't new for LockBit, as there are reports about similar infection chains relying on the abuse of VMware command line utilities.

The executed code loads and decrypts an encrypted Cobalt Strike payload from the "c0000015.log" file, dropped along with the other two files from the earlier stage of the attack.

While it's unclear why the LockBit affiliate switched from VMware to Windows Defender command line tools for side-loading Cobalt Strike beacons, it might be to bypass targeted protections implemented in response to the previous method.


News URL

https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-windows-defender-to-load-cobalt-strike/