LockBit 3.0 ransomware threat actors are exploiting the Windows Defender command line tool to drop Cobalt Strike beacons on compromised systems and evade detection by security software, according to security researchers at Sentinel Labs.
Cobalt Strike is a legitimate penetration testing tool with multiple features that allow threat actors to conduct network reconnaissance and lateral movement before deploying ransomware or other malware. In a recent incident response for a LockBit ransomware attack, researchers detected the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious Dynamic-link libraries (DLLs) that decrypt and install Cobalt Strike beacons. According to Sentinel Labs researchers, “Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools.” The initial compromise occurred via the Log4j vulnerability against an unpatched VMWare Horizon Server. Therefore, to defend against this activity, members are encouraged to ensure all their systems are fully patched. Read more at BleepingComputer or access the full report at Sentinel Labs.