23.9 C
New York
Wednesday, August 17, 2022

Windows Defender hacked to deploy this dangerous ransomware

Log4j vulnerabilities are now being used to deploy Cobalt Strike beacons through the Windows Defender command line tool, researchers have found.

Cybersecurity researchers from Sentinel Labs recently spotted a new method, employed by an unknown threat actor, with the endgame being the deployment of LockBit 3.0 ransomware.

It works like this: the threat actor would leverage log4shell (as the Log4j zero-day is dubbed) to gain access to a target endpoint, and obtain the necessary user privileges. Once that’s out of the way, they’d use PowerShell to download three separate files: a Windows CL utility file (clean), a DLL file (mpclient.dll), and a LOG file (the actual Cobalt Strike beacon). 

Side-loading Cobalt Strike

They would then run MpCmdRun.exe, a command line utility that performs various tasks for Microsoft Defender. That program would usually load a legitimate DLL file – mpclient.dll, which it needs to correctly run. But in this instance, the program would load a malicious DLL of the same name, downloaded together with the program.

That DLL will have the LOG file load and decrypt an encrypted Cobalt Strike payload.

It's a method known as side-loading.

Usually, this LockBit affiliate used VMware’s command line tools to side-load Cobalt Strike beacons, BleepingComputer says, so the switch to Windows Defender is somewhat unusual. The publication speculates the change was made to bypass targeted protections that VMware recently introduced. Still, using living-off-the-land tools to evade being detected by antivirus or malware protection services is “extremely common” these days, the publication concludes, urging businesses to check their security controls and be vigilant with tracking how legitimate executables are being (ab)used.

Even though Cobalt Strike is a legitimate tool, used for penetration testing, it’s grown quite infamous as it’s being abused by threat actors everywhere. It comes with an extensive list of features that cybercriminals can use to map out the target network, undetected, and move laterally across endpoints, as they prepare to steal data and deploy ransomware. 

Via: BleepingComputer

Source link

Related Articles

German man, 98, is charged with war crimes over murders of Soviets detained during WWII 

Now Germany prosecutes Hitler's Stalag POW camp guards: 98-year-old is charged with...

Lions’ Nathan Rourke named CFL’s top performer for 3rd-straight week

By Staff The Canadian Press Posted August 16, 2022 8:10 pm Smaller font Descrease article font size -A Larger font Increase article font size A+

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

0FansLike
0FollowersFollow
0SubscribersSubscribe

Latest Articles

German man, 98, is charged with war crimes over murders of Soviets detained during WWII 

Now Germany prosecutes Hitler's Stalag POW camp guards: 98-year-old is charged with...

Lions’ Nathan Rourke named CFL’s top performer for 3rd-straight week

By Staff The Canadian Press Posted August 16, 2022 8:10 pm Smaller font Descrease article font size -A Larger font Increase article font size A+

A Participant In The 8 Steps Of The Million Upset Guido Kazka With A Special Custom: “It’s Unbelievable”

This week, Alejandro went to compete 8 million steps (El Tres) and quickly attracted attention guido the duckwhich with its attentive driver’s antennas, noticed...