Home > Cyber News > LockBit Ransomware Leverages Windows Defender to Drop Cobalt Strike

LockBit Ransomware Leverages Windows Defender to Drop Cobalt Strike

LockBit Ransomware Leverages Windows Defender to Drop Cobalt Strike

The well-known LockBit ransomware has been receiving significant updates, as evident by the reports of several cybersecurity vendors.

New Version of LockBit Observed in the Wild

According to SentinelLabs, a new iteration of the ransomware has been deployed in the wild. LockBit 3.0 or LockBit Black has been equipped with a series of anti-analysis and anti-debugging routines, and the capability to exploit another legitimate tool – Windows Defender.

In April, SentinelLabs discovered that LockBit operators were leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike. “During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads,” SentinelOne noted.

In the attack, Cobalt Strike was loaded from a remote server and then decrypted and loaded via the Windows Defender command line tool.

Why did the cybercriminals use these legitimate tools? “Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the report added.

Another significant attack attributed to LockBit is the attack against Accenture, a global business consulting firm. As such, Accenture’s clients include 91 names of the Fortune Global 100, and at least three-quarters of the Fortune Global 500. Some of its clients are Alibaba, Google and Cisco.

Cobalt Strike Dropped by Multiple Threat Actors

Earlier this year, in May, security researchers detected a “mysterious” malicious Python package that downloaded the Cobalt Strike malware on Windows, Linux, and macOS systems. Called “pymafka,” the package masquerades as the legitimate popular library PyKafka, a programmer-friendly Kafka client for Python. According to Sonatype researchers, the malicious package has been downloaded approximately 300 times.

Another example of a malware tool used by multiple cybercriminals is Bumblebee. Due to the specifics of the malware campaigns, security researchers believe that the threat actors behind such operations are initial access brokers. Initial network access is what gets malicious hackers inside an organization’s network. Threat actors who are selling it create a bridge between opportunistic campaigns and targeted attackers. In most cases, these are ransomware operators.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree