Search This Blog

Powered by Blogger.

Blog Archive

Labels

LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike Payloads

The hacker exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings.

 

A hacker linked with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been identified exploiting the Windows Defender command-line tool to decrypt and install Cobalt Strike payloads.

According to endpoint security firm SentinelOne, the ransomware operator exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload. The hacker also leveraged a command line tool associated with Windows Defender named “MpCmdRun.exe to” decrypt and load Cobalt Strike payloads. 

Subsequently, the malicious actor exploited the Log4Shell vulnerability which is the bug found in an open-source logging library employed by apps and services across the internet, and implemented a reconnaissance for thorough observation of the network to download the Cobalt Strike Payload.

SentinelOne stated that Windows Defender needs to be vigilant regarding the current scenario as hackers associated with the LockBit ransomware are exploring to abuse “novel living off the land tools” to deploy Cobalt Strike beacons bypassing traditional AV detection tools. 

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne said. 

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the company added. 

The LockBit ransomware has been active since 2019 and it has likely been used to target thousands of organizations. 

Earlier this year in June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure.
Share it:

Cobalt Strike

Malicious Payload

Ransomware

Vulnerabilities and Exploits

Windows Defender