LockBit actors use Windows Defender command-line tool MpCmdRun.exe to infect PCs with Cobalt Strike Beacon. After that, the ransomware LockBit will be installed. Microsoft should be on high alert if they aren't already.
Cybersecurity research company SentinelOne has released news: They have discovered that Microsoft's internal anti-malware solution is being abused to load Cobalt Strike Beacon onto victim PCs and servers. The attackers in this case are LockBit ransomware as a service (RaaS) operators MpCmdRun.exe abused to infect victims' PCs.
Microsoft Defender Tool abused
At this point, the attackers exploit the Log4j vulnerability to MpCmdRun.exe Download the infected "mpclient" DLL file and the encrypted Cobalt Strike payload file from their command and control server. In this way, a victim's system is specifically infected. This is followed by the classic process: the blackmail software LockBit is used, the system is encrypted and a ransom demand is displayed.
LockBit slips through the vulnerability
LockBit has been getting quite a bit of attention lately. Last week SentinelLabs reported on LockBit 3.0 (aka LockBit Black) and described how the latest iteration of this increasingly popular RaaS implemented a set of anti-analysis and anti-debugging routines. The research was quickly followed by others who reported similar findings. Meanwhile, back in April, SentinelLabs reported how a LockBit subsidiary used the legitimate VMware command-line utility, VMwareXferlogs.exe, in a live deployment to sideload Cobalt Strike.
In a detailed article, SentinelOne shows how the actually legitimate Microsoft Defender tool is being misused by attackers.
More at SentinelOne.com