LockBit Ransomware takes advantage of Microsoft Defender itself to infect

Microsoft's anti/virus engine is being abused by hackers to upload Cobalt Strike beacons to potential victims' computers.

The information that has just been announced by cybersecurity research firm SentinelOne may startle Microsoft.

Specifically, according to SentinelOne, Microsoft's anti-virus / anti-virus tool is being abused by hackers to upload Cobalt Strike beacons to potential victims' computers. Thereby, hackers can install on the machine of ransomware victims LockBit using a dedicated command line tool in Defender called "mpcmdrun.exe".

On its blog, SentinelOne writes the following:

During a recent investigation, we discovered that hackers are abusing Windows Defender's MpCmdRun.exe command line tool ( formerly Microsoft Defender ) to decrypt and download Cobalt Strike payloads.

This is a very noticeable behavior and should be taken with extreme caution.

The attack process is quite similar to the previous VMware CLI case. Basically, the hacker exploits the Log4j vulnerability to download MpCmdRun, the malicious DLL file "mpclient" and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect the computer. your multiplier.

MpCmd.exe was abused to side-load a custom mpclient.dll file, and load and decode Cobalt Strike beacons from the c0000015.log file.

Therefore, the components used in the attack specifically related to the use of the Windows Defender command-line tool are:

  1. MpCmdRun.exe: Legit , signed Microsoft Defender utility
  2. mpclient.dll: Custom DLL file loaded by MpCmdRun.exe
  3. C0000015.log: Encrypted Cobalt Strike Payload

Here is the hacker attack sequence:

Picture 1 of LockBit Ransomware takes advantage of Microsoft Defender itself to infect

This novel attack method shows that hackers are getting more and more sophisticated and they will never stop finding attack patterns that can evade the detection of popular security and anti-virus tools. In addition, there should be more careful supervision with the tools that businesses and organizations offer to avoid abuse.

Products like VMwarer and Windows Defender are so popular in the enterprise that they will become a tool of destruction in the hands of hackers if they find a way to abuse them.

Update 01 August 2022
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile