LockBit Ransomware takes advantage of Microsoft Defender itself to infect
Microsoft's anti/virus engine is being abused by hackers to upload Cobalt Strike beacons to potential victims' computers.
The information that has just been announced by cybersecurity research firm SentinelOne may startle Microsoft.
Specifically, according to SentinelOne, Microsoft's anti-virus / anti-virus tool is being abused by hackers to upload Cobalt Strike beacons to potential victims' computers. Thereby, hackers can install on the machine of ransomware victims LockBit using a dedicated command line tool in Defender called "mpcmdrun.exe".
On its blog, SentinelOne writes the following:
During a recent investigation, we discovered that hackers are abusing Windows Defender's MpCmdRun.exe command line tool ( formerly Microsoft Defender ) to decrypt and download Cobalt Strike payloads.
This is a very noticeable behavior and should be taken with extreme caution.
The attack process is quite similar to the previous VMware CLI case. Basically, the hacker exploits the Log4j vulnerability to download MpCmdRun, the malicious DLL file "mpclient" and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect the computer. your multiplier.
MpCmd.exe was abused to side-load a custom mpclient.dll file, and load and decode Cobalt Strike beacons from the c0000015.log file.
Therefore, the components used in the attack specifically related to the use of the Windows Defender command-line tool are:
- MpCmdRun.exe: Legit , signed Microsoft Defender utility
- mpclient.dll: Custom DLL file loaded by MpCmdRun.exe
- C0000015.log: Encrypted Cobalt Strike Payload
Here is the hacker attack sequence:
This novel attack method shows that hackers are getting more and more sophisticated and they will never stop finding attack patterns that can evade the detection of popular security and anti-virus tools. In addition, there should be more careful supervision with the tools that businesses and organizations offer to avoid abuse.
Products like VMwarer and Windows Defender are so popular in the enterprise that they will become a tool of destruction in the hands of hackers if they find a way to abuse them.
You should read it
- Microsoft Defender for Endpoint encountered an error that could not be started on Windows Server
- Microsoft claims Windows Defender is the best antivirus software
- Everything you need to know about the LockBit . ransomware family
- How to schedule a scan in Microsoft Defender Antivirus on Windows 10
- 7 kinds of ransomware you didn't expect
- This is the world's fastest ransomware, encrypting 53GB of data in just over 4 minutes
- Microsoft brings Windows Defender Antivirus to macOS
- Windows Defender Antivirus has the ability to quickly detect and delete malware
- How to fix errors cannot open Windows Defender on Windows 7/8/10
- PureLocker - a very 'weird' ransomware strain that can encrypt servers
- Ako ransomware is raging all over the world, what do you know about this ransomware?
- [Infographic] 7 effective ways to protect businesses from Ransomware