LockBit Operators Abusing Microsoft Defender To Load Cobalt Strike Beacon

Researchers from the cybersecurity company, SentinelOne have discovered that Microsoftโ€™s Windows Defender is being abused by a threat actor associated with the LockBit 3.0 ransomware operation to load Cobalt Strike beacons onto potentially compromised systems and evade EDR and AV detection tools.

The researchers found that Microsoft Defenderโ€™s command line tool โ€œMpCmdRun.exeโ€ was abused to side-load malicious DLLsย that decrypt and install Cobalt Strike beacons on victimsโ€™ PCs.

For those unaware, MpCmdRun is an important part of Microsoft’s Windows Security system thatย helps protect your PC from online threats and malware.

โ€œDuring a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads,โ€ SentinelOne wrote in detail about the new attack in its blog post.

lokbit sideloading attack

 

The initial target compromiseย in both cases occurred by exploiting theย Log4j vulnerability against an unpatched VMWare Horizon Server to run PowerShell code, which downloaded the MpCmdRun.exe, the “mpclient” malicious DLL file, and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server.ย 

The threat actor downloads a malicious DLL, the encrypted payload, and the legitimate tool from their controlled C2:ย 

Notably, the threat actor leverages the legitimate Windows Defender command line toolย MpCmdRun.exeย to decrypt and load Cobalt Strike payloads.

[…]ย MpCmd.exeย (sic) is abused to side-load a weaponizedย mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.

As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:

Filename Description
mpclient.dll Weaponized DLL loaded by MpCmdRun.exe
MpCmdRun.exe Legitimate/signed Microsoft Defender utility
C0000015.log Encrypted Cobalt Strike payload

For more technical details, you can check out the officialย blog post here.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post