Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11LockBit Ransomware takes advantage of Microsoft Defender itself to infect
The information that has just been announced by cybersecurity research firm SentinelOne may startle Microsoft.
Specifically, according to SentinelOne, Microsoft's anti-virus / anti-virus tool is being abused by hackers to upload Cobalt Strike beacons to potential victims' computers. Thereby, hackers can install on the machine of ransomware victims LockBit using a dedicated command line tool in Defender called "mpcmdrun.exe".
On its blog, SentinelOne writes the following:
During a recent investigation, we discovered that hackers are abusing Windows Defender's MpCmdRun.exe command line tool ( formerly Microsoft Defender ) to decrypt and download Cobalt Strike payloads.
This is a very noticeable behavior and should be taken with extreme caution.
The attack process is quite similar to the previous VMware CLI case. Basically, the hacker exploits the Log4j vulnerability to download MpCmdRun, the malicious DLL file "mpclient" and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect the computer. your multiplier.
MpCmd.exe was abused to side-load a custom mpclient.dll file, and load and decode Cobalt Strike beacons from the c0000015.log file.
Therefore, the components used in the attack specifically related to the use of the Windows Defender command-line tool are:
- MpCmdRun.exe: Legit , signed Microsoft Defender utility
- mpclient.dll: Custom DLL file loaded by MpCmdRun.exe
- C0000015.log: Encrypted Cobalt Strike Payload
Here is the hacker attack sequence:
LockBit Ransomware takes advantage of Microsoft Defender itself to infect Picture 1
This novel attack method shows that hackers are getting more and more sophisticated and they will never stop finding attack patterns that can evade the detection of popular security and anti-virus tools. In addition, there should be more careful supervision with the tools that businesses and organizations offer to avoid abuse.
Products like VMwarer and Windows Defender are so popular in the enterprise that they will become a tool of destruction in the hands of hackers if they find a way to abuse them.
Marvin FryYou should read it
- Microsoft Defender for Endpoint encountered an error that could not be started on Windows Server
- Microsoft claims Windows Defender is the best antivirus software
- Everything you need to know about the LockBit . ransomware family
- How to schedule a scan in Microsoft Defender Antivirus on Windows 10
- 7 kinds of ransomware you didn't expect
- This is the world's fastest ransomware, encrypting 53GB of data in just over 4 minutes
- Microsoft brings Windows Defender Antivirus to macOS
- Windows Defender Antivirus has the ability to quickly detect and delete malware
- How to fix errors cannot open Windows Defender on Windows 7/8/10
- PureLocker - a very 'weird' ransomware strain that can encrypt servers
- Ako ransomware is raging all over the world, what do you know about this ransomware?
- [Infographic] 7 effective ways to protect businesses from Ransomware
Maybe you are interested
Did you know there are two different Microsoft Defender applications?
Latest Anime Defenders code and how to enter code
How to set up Windows Defender to increase defense capabilities
How to fix Behavior:Win32/Hive.ZY Windows Defender error quickly and most effectively
How to turn off Windows Defender on the latest Windows 10 2024
How to turn off Windows Security (Windows Defender) easily
Technology story
Series of Android applications contain malicious code you should remove immediately from your device- Windows users silently receiving Microsoft Bing Service 2.0 update cannot be uninstalled
- Will Microsoft bring Windows 10's search bar to Windows 11?
- New technique can hack even computers completely isolated from the internet
- These Android apps with more than 100,000 downloads contain Joker malware, please remove immediately
- Please try Epic Games' extremely realistic human face creation tool
Series of Android applications contain malicious code you should remove immediately from your device
Windows users silently receiving Microsoft Bing Service 2.0 update cannot be uninstalled
Will Microsoft bring Windows 10's search bar to Windows 11?
New technique can hack even computers completely isolated from the internet
These Android apps with more than 100,000 downloads contain Joker malware, please remove immediately
Please try Epic Games' extremely realistic human face creation tool