Windows Defender suffers from LockBit 3.0 attacks by initiating Cobalt Strike

Windows Defender is being target of the LockBit 3.0 ransomware that exploits a the system by deploying a Cobalt Strike beacon and successfully avoid detection. Security researchers have stated that this particular Cobalt Strike beacon can not be detected by the system easily because the LockBit 3.0 ransomware abuses the Defender’s command line tool MpCmdRun.exe to side-load malicious DLLs. MpCmdRun is responsible for protecting the Windows from online threats and malware, Cobalt Strike get installed into the device once the malicious DLLs are being run to decrypt the system.

Security experts say that threat actor compromised the network by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers, acting as medium for running virtual desktop and apps in order to run PowerShell code to automatize the system for remote use.

According to security researchers the threat actor uses PowerShell to download three files, a clean copy of a Windows, CL utility, a DLL file and a LOG file. Usually MpCmdRun.exe is responsible for using CL utility file to scan for malware and collect information regarding it to prepare the system for restoration and it will also load a legitimate DLL named mpclient.dll to operate the system correctly.

However, once the threat actor has exploited MpCmdRun.exe it will be used to install a mirror image of mpclient.dll which is in reality a malicious DLL file. This will load an encrypted Cobalt Strike payload from the c0000015.log file, the encrypted beacon.

Security researchers suggests that organizations should conduct a thorough and powerful security control frequently and keep a track record of the vulnerabilities in the system.

Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

function init() { var vidDefer = document.getElementsByTagName('iframe'); for (var i=0; i