LockBit Ransomware Inject Cobalt Strike on Windows By Abusing Windows Defender

It seems that LockBit has been getting more attention than usual lately. The cybersecurity experts at Sentinel Labs has discovered that the Cobalt Strike payloads have been decrypted and loaded by a LockBit 3.0 ransomware operator using Windows Defender.

Among threat actors, Cobalt Strike is recognized as an advanced suite of tools for penetration testing that offers a wide range of features.

The detection of Cobalt Strike beacons has improved with the advent of modern security solutions. In order to deploy toolkits in a creative manner, threat actors are looking for innovative means of deploying them.

In order to side-load malicious DLLs, the threat actors are exploiting the command line tool MPCmdRun.exe of Microsoft Defender.

According to the report, For LockBit the side-loading of Cobalt Strike beacons on the systems that are compromised is not something new. Similar infection chains have recently been reported which are based on VMware command line utilities being abused in order to spread the infection.

Attack Flow

Threat actors use PowerShell to download three files as soon as they have gained entry to a target system and are able to gain the user privileges they require.

Those three files are:- 

  • A Windows CL utility
  • A DLL file
  • A LOG file

In Windows Defender, there is a command-line utility named MpCmdRun.exe that can be used to perform a number of tasks. It could execute or perform the following key tasks:-

  • Commands to scan for malware
  • Collect information
  • Restore items
  • Perform diagnostic tracing

As soon as MpCmdRun.exe is run, a legitimate DLL file (mpclient.dll) will be loaded, which is necessary to ensure the correct operation of the program.

At this stage, from the “c0000015.log” file, an encrypted Cobalt Strike payload was loaded which was later decrypted by the executed code. During the earlier stages of the attack, there were two other files that were dropped along with this file.

This event shows that LockBit operators have switched to Windows Defender command line tools from VMware. But, it is not yet clear why the threat actors have switched. 

These days, it’s very common for users to evade EDR and AV detection with such tools, so evaluating the security controls of an organization is extremely important.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.