Security News > 2022 > August > LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload
2022-08-02 08:07

A threat actor associated with the LockBit 3.0 ransomware-as-a-service operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

"Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.

LockBit 3.0, which comes with the tagline "Make Ransomware Great Again!," is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.

Exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

"Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls."


News URL

https://thehackernews.com/2022/08/lockbit-ransomware-abuses-windows.html