Researchers have discovered that the Windows Defender command line tool is now being used to install Cobalt Strike beacons using Log4j vulnerabilities.
Sentinel Labs’ security researchers have discovered a new technique used by an unknown threat actor, with the goal of deploying LockBit 3.0 ransomware as a final result.
Using log4shell (as the Log4j zero-day has been termed), an attacker would get access to a target endpoint and achieve the requisite user rights. A Windows CL utility (clean), an mpclient.dll DLL, and an audit log file would be downloaded using PowerShell after that step was completed (the actual Cobalt Strike beacon).
It’s possible to sideload Cobalt Strike
MpCmdRun.exe, a command-line programme for Microsoft Defender, would then be executed. mpclient.dll is a legal DLL file that is normally loaded by that software in order for it to function properly. However, in this case, a malicious DLL with the identical name was downloaded along with the software and would be loaded by the programme.
Decryption of a Cobalt Strike payload will be performed via the use of this DLL.
Side-loading is the term for this technique.
BleepingComputer reports that this LockBit affiliate usually utilised VMware command line tools to sideload Cobalt Strike beacons, so the move to Windows Defender is a little out of the ordinary. Changes taken to avoid VMware’s newly announced targeted defences are speculated by the magazine. Although it is “extremely common” these days, the publication concludes, businesses should check their security controls and be vigilant in tracking how legitimate executables are being (ab)used and avoid being detected by antivirus (opens in new tab) or malware (opens in new tab) protection services.
A respectable tool for penetration testing, Cobalt Strike has become notorious because of its widespread usage by cybercriminals. Cybercriminals may use it to map out the target network unnoticed and travel across endpoints as they prepare to steal data and install ransomware.