Windows Defender hacked to deploy this dangerous ransomware
Windows Defender is being abused to side-load LockBit 3.0
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Log4j vulnerabilities are now being used to deploy Cobalt Strike beacons through theWindows Defendercommand line tool, researchers have found.
Cybersecurity researchers from Sentinel Labs recently spotted a new method, employed by an unknown threat actor, with the endgame being the deployment of LockBit 3.0ransomware.
It works like this: the threat actor would leverage log4shell (as the Log4j zero-day is dubbed) to gain access to a target endpoint, and obtain the necessary user privileges. Once that’s out of the way, they’d use PowerShell to download three separate files: a Windows CL utility file (clean), a DLL file (mpclient.dll), and a LOG file (the actual Cobalt Strike beacon).
Side-loading Cobalt Strike
They would then run MpCmdRun.exe, a command line utility that performs various tasks forMicrosoftDefender. That program would usually load a legitimate DLL file - mpclient.dll, which it needs to correctly run. But in this instance, the program would load a malicious DLL of the same name, downloaded together with the program.
That DLL will have the LOG file load and decrypt an encrypted Cobalt Strike payload.
It’s a method known as side-loading.
Microsoft SQL servers hit by Cobalt Strike attacks>Patched Cobalt Strike vulnerabilities could have dealt a crippling blow to malicious users>Stay safe from cybercriminals with the best endpoint protection services around
Usually, this LockBit affiliate used VMware’s command line tools to side-load Cobalt Strike beacons,BleepingComputersays, so the switch to Windows Defender is somewhat unusual. The publication speculates the change was made to bypass targeted protections that VMware recently introduced. Still, using living-off-the-land tools to evade being detected byantivirusormalwareprotection services is “extremely common” these days, the publication concludes, urging businesses to check their security controls and be vigilant with tracking how legitimate executables are being (ab)used.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Even though Cobalt Strike is a legitimate tool, used for penetration testing, it’s grown quite infamous as it’s being abused by threat actors everywhere. It comes with an extensive list of features that cybercriminals can use to map out the target network, undetected, and move laterally across endpoints, as they prepare to steal data and deploy ransomware.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
