The Lockbit ransomware group, one of the most prolific in the second quarter of this year, is exploiting new exploit methods to compromise victims’ systems.
LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.
Lockbit uses Cobalt Strike
Cobalt Strike is a legitimate penetration testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it.
A threat actor, associated with the LockBit 3.0 ransomware operation, is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade security by detection software.
How Lockbit is attacking
SentinelOne had reported an attack involving the LockBit ransomware, in which attackers leveraged a legitimate VMware-branded command-line utility, known as ‘VMwareXferlogs.exe,’ to side-load the Cobalt Strike payload.
In a recent incident, Sentinel Labs noticed the misuse of Microsoft Defender’s command line tool ‘MpCmdRun.exe’ to download malicious DLLs that decrypt and install Cobalt Strike beacons.
After establishing access to a target system and gaining the required user privileges, the threat actors use PowerShell to download three files: a clean copy of a Windows CL utility, a DLL file, and a LOG file.
MpCmdRun.exe is a command line utility to perform Microsoft Defender tasks, and it supports commands to scan for malware, collect information, restore items, perform diagnostic tracing, and more.
When executed, the MpCmdRun.exe will load a legitimate DLL named “mpclient.dll” that is required for the program to operate correctly.
The good news is that the use of Cobalt Strike beacons is usually picked up by major cyber security companies.
It is always recommended not to download apps outside the official marketplaces. Also, great care should be taken: never click on links or attachments in emails or messages, typing without first checking where those hyperlinks lead.
Finally, you must keep your operating system updated to the latest stable version available. Crucial is also downloading the latest version of downloaded applications, avoiding downloading unnecessary apps. In fact, one should never expand the perimeter of attack.