"Windows Defender Is Being Abused to Side-Load LockBit 3.0"

Researchers discovered that Log4j vulnerabilities are now being used to deploy Cobalt Strike beacons via the Windows Defender command line tool. Sentinel Labs cybersecurity researchers recently discovered the new method used by an unknown threat actor, with the endgame being the deployment of LockBit 3.0 ransomware. The threat actor would use Log4Shell to gain access to a target endpoint and obtain the required user privileges. Then they would use PowerShell to download three different files: a Windows CL utility file (clean), a DLL file (mpclient.dll), and a LOG file (the actual Cobalt Strike beacon). They would then execute MpCmdRun.exe, a command line utility that performs various Microsoft Defender tasks. That program would normally load a legitimate DLL file - mpclient.dll - that it requires to function properly. In this case, however, the program would load a malicious DLL with the same name that had been downloaded along with the program. The LOG file will be loaded into that DLL, and it will decrypt an encrypted Cobalt Strike payload in a technique called side-loading. This LockBit affiliate was previously using VMware's command line tools to side-load Cobalt Strike beacons, so the switch to Windows Defender is unusual. The change was made to circumvent targeted protections introduced by VMware recently. Still, researchers conclude that using living-off-the-land tools to avoid detection by antivirus or malware protection services is "extremely common" these days, urging businesses to check their security controls and be vigilant in tracking how legitimate executables are being abused. This article continues to discuss the use of Windows Defender to side-load LockBit 3.0. 

TechRadar reports "Windows Defender Is Being Abused to Side-Load LockBit 3.0"