Windows Defender is being target of the LockBit 3.0 ransomware that exploits a the system by deploying a Cobalt Strike beacon and successfully avoid detection. Security researchers have stated that this particular Cobalt Strike beacon can not be detected by the system easily because the LockBit 3.0 ransomware abuses the Defender’s command line tool MpCmdRun.exe to side-load malicious DLLs. MpCmdRun is responsible for protecting the Windows from online threats and malware, Cobalt Strike get installed into the device once the malicious DLLs are being run to decrypt the system.
Security experts say that threat actor compromised the network by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers, acting as medium for running virtual desktop and apps in order to run PowerShell code to automatize the system for remote use.
According to security researchers the threat actor uses PowerShell to download three files, a clean copy of a Windows, CL utility, a DLL file and a LOG file. Usually MpCmdRun.exe is responsible for using CL utility file to scan for malware and collect information regarding it to prepare the system for restoration and it will also load a legitimate DLL named mpclient.dll to operate the system correctly.
However, once the threat actor has exploited MpCmdRun.exe it will be used to install a mirror image of mpclient.dll which is in reality a malicious DLL file. This will load an encrypted Cobalt Strike payload from the c0000015.log file, the encrypted beacon.
Security researchers suggests that organizations should conduct a thorough and powerful security control frequently and keep a track record of the vulnerabilities in the system.
