The Log4j vulnerabilities are now being used to deploy Cobalt Strike beacons via the Windows Defender command-line tool, researchers discovered.
Cybersecurity researchers at Sentinel Labs recently detected a new method, employed by an unknown threat actor, whose ultimate goal is the deployment of LockBit 3.0 ransomware.
It works like this: the threat actor would use log4shell (as Log4j zero-day is called) to access a target endpoint and gain the necessary user privileges. Once done, they would use PowerShell to download three separate files: a Windows CL utility file (clean), a DLL file (mpclient.dll), and a LOG file (the actual Cobalt Strike beacon).
Side-Charging Cobalt Strike
They would then run MpCmdRun.exe, a command line utility that performs various tasks for Microsoft Defender. This program usually loads a legitimate DLL file: mpclient.dll, which it needs to run properly. But in this case, the program would load a malicious DLL of the same name, downloaded along with the program.
This DLL will load the LOG file and decrypt an encrypted Cobalt Strike payload.
This is a method known as side loading.
This LockBit subsidiary typically used VMware's command-line tools to transfer Cobalt Strike tags, says BleepingComputer, so the move to Windows Defender is somewhat unusual. The post assumes that the change was made to circumvent specific protections that VMware recently introduced. However, the use of tools that live outside the ground to evade detection by virus protection services (opens in a new tab) or malware (opens in a new tab) is "extremely common" these days, he concludes the post, urging companies to check their security controls and be vigilant in monitoring how legitimate executables are used (abused).
Although Cobalt Strike is a legitimate tool, used for penetration testing, it has become quite infamous as it is being abused by threat actors around the world. It comes with a long list of features that cybercriminals can use to map the target network, undetected, and move laterally between endpoints as they prepare to steal data and deploy ransomware.
Via: BleepingComputer (Opens in a new tab)