LockBit Ransomware Abuses Window Defender To Deploy Cobalt Strike Payload

Researchers observed a threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

In harmony with a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

Researchers Julio Dantas, James Haughom, and Julien Reisdorffer said, once threat actors gained access into the system, they performed a series of enumeration commands and attempted to run multiple post-exploitation tools. These attempts included Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike.

Lockbit Launches a new Campaign

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!,” is the next iteration of the prolific LockBit RaaS family that ensued in June 2022 to iron out critical weaknesses found in its antecedent.

It’s significant for establishing what’s the first-ever bug bounty for a RaaS program. Besides featuring an altered leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.

LockBit Affiliate Leveraged A VMware Command-line Utility

Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What’s different this time around is the use of MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command-line tool for executing various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

The researchers said, “Tools that should receive scrutiny are any that either the organization or the organization’s security software have made exceptions for,”

They also maintained that products like VMware and Windows Defender when they operate outside security control are high utility tools in the hand of these threat actors.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with globally cascading effects.”

“MSPs remain an attractive supply chain target for attackers, particularly IABs,” Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).