The well-known LockBit ransomware has been receiving significant updates, as evident by the reports of several cybersecurity vendors.
New Version of LockBit Observed in the Wild
According to SentinelLabs, a new iteration of the ransomware has been deployed in the wild. LockBit 3.0 or LockBit Black has been equipped with a series of anti-analysis and anti-debugging routines, and the capability to exploit another legitimate tool – Windows Defender.
In April, SentinelLabs discovered that LockBit operators were leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike. “During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads,” SentinelOne noted.
In the attack, Cobalt Strike was loaded from a remote server and then decrypted and loaded via the Windows Defender command line tool.
Why did the cybercriminals use these legitimate tools? “Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the report added.
Another significant attack attributed to LockBit is the attack against Accenture, a global business consulting firm. As such, Accenture’s clients include 91 names of the Fortune Global 100, and at least three-quarters of the Fortune Global 500. Some of its clients are Alibaba, Google and Cisco.
Cobalt Strike Dropped by Multiple Threat Actors
Earlier this year, in May, security researchers detected a “mysterious” malicious Python package that downloaded the Cobalt Strike malware on Windows, Linux, and macOS systems. Called “pymafka,” the package masquerades as the legitimate popular library PyKafka, a programmer-friendly Kafka client for Python. According to Sonatype researchers, the malicious package has been downloaded approximately 300 times.
Another example of a malware tool used by multiple cybercriminals is Bumblebee. Due to the specifics of the malware campaigns, security researchers believe that the threat actors behind such operations are initial access brokers. Initial network access is what gets malicious hackers inside an organization’s network. Threat actors who are selling it create a bridge between opportunistic campaigns and targeted attackers. In most cases, these are ransomware operators.