Lockbit attackers abuse Windows Defender to load Cobalt Strike

[German]Security researchers from Sentinel One have discovered an interesting attack path under Windows, which is used by the ransomware gang Lockbit. The group uses Windows Defender in its ransomware construction kit to load the Cobalt Strike test tool and then abuse it. The (unpatched) target system is attacked via the Log4j vulnerability.

The LockBit ransomware group has received a lot of attention recently, and LockBit 3.0 of this malware is now available. In this version, a number of anti-analysis and anti-debugging features are implemented. In this process, the group also uses the 'Living off the Land' (LotL) technique to load Cobalt Strike.

'Living off the Land' attacks use an operating system-level program file that already exists to load malicious code. At LockBit, SentinelLabs reported back in April that the group was abusing theVMware Command Line Tool, VMwareXferlogs.exe, to load Cobalt Strike.

Attack path, source: SentinelOne

Cobalt Strike is a software with flexible features to simulate industrial espionage on one's network, test defenses and increase one's computer security. However, it is also commonly used by real attackers such as APT groups or ransomware gangs, according to Wikipedia.

Windows Defender abused

Meanwhile, security researchers at SentinelLabs have come across an incident in which Windows Defender was misused as a loader by a LockBit operator or partner. A recent investigation found that the threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

MpCmdRun.exe is a command-line utility for performing Microsoft Defender tasks and supports commands to scan for malware, gather information, recover items, run diagnostics and more. The attacker proceeds in steps.

Once a Windows system with a Log4j vulnerability is found, the attackers try to launch a PowerShell. Once the threat actor gained sufficient privileges, it tried to download and execute several payloads after exploitation.

In the specific case, a manipulated DLL file mpclient.dll is also saved from an attack server to a path where Windows is known to load DLLs. This technique has been outlined as DLL hijacking more often here on the blog. Then the attackers use the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

Using this technique, the attacker hopes to trick Windows security tools, since MpCmdRun.exe is a legitimate and signed application. The Cobalt Strike beacon is loaded by the mpclient.dll file from the c0000015.log file and decrypted. Then, the threat actor attempted to run Cobalt Strike and then send the output to an IP address on a controlled server.

The lesson from this incident is that any tools for which either the organization or the organization's security software has set exceptions should be carefully reviewed. Products such as VMware and Windows Defender are widely used in the enterprise and provide a lot of value to threat actors if they are allowed to be used outside of installed security controls. Details can be read in this blog post published by security researchers. (via)