The endpoint security firm SentinelOne has warned about a LockBit ransomware operator that has been observed to abuse Windows Defender to decrypt and load Cobalt Strike payload. According to the security firm’s reports threat actors in a LockBit ransomware attack exploited VMware command-line utility named VMwareXferlogs.exe, to modify VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload.
The threat actor has been also observed to leverage a command line tool associated with Windows Defender named MpCmdRun.exe to decrypt and load Cobalt Strike payloads. The attacker has targeted the Log4Shell vulnerability which is the vulnerability found in an open-source logging library used by apps and services across the internet and executed a reconnaissance for thorough observation of the network in order to download the Cobalt Strike Payload.
SentinelOne stated that Windows Defender needs to be aware of the situation as threat actors associated with the LockBit ransomware are exploring to exploit “novel living off the land tools” in order to load Cobalt Strike beacons which evade traditional AV detection tools.
The enterprise and organizations are instructed to carefully scrutinize the products such as VMware and Windows Defender as they are highly susceptible to the threat actors who operate remotely outside of the security controls. The LockBit ransomware has been targeting thousands of private enterprise networks since 2019 to decrypt sensitive data.
LockBit 3.0 a variant of LockBit has already claimed more than 60 victims and leaked their data on the LockBit 3.0 website. The LockBit-associated threat actors have been leaking data of enterprises on its website that failed to provide the ransom amount. In some cases, they even offered security officials up to $1 million as part of a bug bounty program.
