Hackers use Windows Defender Antivirus to launch attacks

Hackers use Windows Defender Antivirus to launch attacks

Unidentified attackers associated with the developers of LockBit 3.0 ransomware use a command-line tool in Windows Defender Antivirus to download Cobalt Strike, a commercial pentesting tool actively used by hackers, into a compromised beacon system. About that writes CNews output referencing SentinelOne data.

    Image source: Pixabay

Image source: Pixabay

According to reports, attackers use MpCmdRun.exe tool to decrypt and download Cobalt Strike onto victim’s system. However, using Windows Defender is just one step in the hacking scheme. The attackers first compromise VMWare Horizon Server systems that lack a fix for the Log4j vulnerability. Hackers modify the Blast Secure Gateway component by installing a web shell with PowerShell code.

Once infiltrated, the hackers run a series of commands and launch post-exploitation tools, including Meterpreter and PowerShell Empire. Next, the attackers download a malicious DLL, an encrypted malicious module, and a legitimate tool, MpCmdRun.exe, with a working digital signature from a remote server. The malicious DLL is the mpclient.dll library, which has been modified in a special way. MpCmdRun.exe automatically loads the library and uses it to decode the main part of Cobalt Strike’s active element, which is hidden in the C0000015.log file.

“Defenders must keep in mind that LockBit operators and their partners are researching and using new tools to ‘live off the land’, i.e. legitimate local means of downloading Cobalt Strike beacons, successfully bypassing some typical EDR systems and antivirus.”, — said in the message SentinelOne. Earlier this year, experts from SentinelOne warned that LockBit operators use the VMwareXferlogs.exe utility (a legitimate VMware virtualization tool to communicate with VMX protocols) to download Cobalt Strike beacons.

About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment