LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike
A type of ransomware known as “LockBit 3.0” is being used to deploy Cobalt Strike payloads via the Windows Defender command line tool.
A malicious actor is using a strain of ransomware known as LockBit 3.0 to exploit the Windows Defender command line tool. Cobalt Strike Beacon payloads are being deployed in the process.
Windows Users Are at Risk of Ransomware Attacks
Cybersecurity firm SentinelOne has reported a new threat actor who is using LockBit 3.0 (also known as LockBit Black) ransomware to abuse the MpCmdRun.exe file, a command line utility that forms an integral part of the Windows Security system. MpCmdRun.exe can scan for malware, so it’s no surprise that it is being targeted in this attack.
LockBit 3.0 is a new malware iteration that forms part of the well-known LockBit ransomware-as-a-service (RaaS) family, which offers ransomware tools to paying customers.
LockBit 3.0 is being used to deploy post-exploitation Cobalt Strike payloads, which can lead to data theft. Cobalt Strike can also bypass security software detection, making it easier for the malicious actor to access and encrypt sensitive information on a victim’s device.
In this side-loading technique, the Windows Defender utility is also being tricked into prioritizing and loading a malicious DLL (dynamic-link library), which can then decrypt the Cobalt Strike payload via a .log file.
LockBit Has Already Been Used to Abuse VMWare Command Line
In the past, LockBit 3.0 actors were also found to have exploited a VMWare command line executable file, known as VMwareXferlogs.exe, to deploy Cobalt Strike beacons. In this DLL side-loading technique, the attacker exploited the Log4Shell vulnerability and tricked the VMWare utility into loading a malicious DLL instead of the original, harmless DLL.
It is also not known why the malicious party has started exploiting Windows Defender instead of VMWare at the time of writing.
SentinelOne Reports That VMWare and Windows Defender Are High-Risk
In SentinelOne’s blog post on the LockBit 3.0 attacks, it was stated that “VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls”.
Attacks of this nature, wherein security measures are evaded, are becoming increasingly common, with VMWare and Windows Defender having been made key targets in such ventures.
LockBit Attacks Show No Signs of Stopping
Though this new wave of attacks has been recognized by various cybersecurity companies, living-off-the-land techniques are still being continually used to exploit utility tools and deploy malicious files for data theft. It is not known whether even more utility tools will be abused in the future using LockBit 3.0, or any other iteration of the LockBit RaaS family.