Security firm SentinelOne released news today that should put Microsoft on high alert. The company discovered that Redmond's security application (Microsoft Defender) is being used to load the Cobalt Strike malware onto potential victims.
The attackers in this case are the administrators of LockBit Ransomware as a Service (RaaS) and they use Microsoft Defender's dedicated command line tool called “mpcmdrun.exe”, among other things, to infect computers.
A SentinelOne blog post describes this new attack:
During a recent investigation, we found that hackers were abusing the Windows Defender command-line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
The attack process works in much the same way as a previous VMware CLI attack. Hackers essentially exploit the vulnerability log4j to download MpCmdRun, the malicious DLL file “mpclient” and the Cobalt Strike encrypted file from the Command-and-Control (C2) server to infect a potential victim's system.
MpCmd.exe is essentially used to side-load a malicious mpclient.dll, which loads and decrypts Cobalt Strike from the c0000015.log file.
The diagram below shows the attack chain:
Indicators of Compromise
| IoC | Description |
| a512215a000d1b21f92dbef5d8d57a420197d262 | Malicious glib-2.0.dll |
| 729eb505c36c08860c4408db7be85d707bdcbf1b | Malicious glib-2.0.dll |
| c05216f896b289b9b426e249eae8a091a3358182 | Malicious glib-2.0.dll |
| 10039d5e5ee5710a067c58e76cd8200451e54b55 | Malicious glib-2.0.dll |
| ff01473073c5460d1e544f5b17cd25dadf9da513 | Malicious glib-2.0.dll |
| e35a702db47cb11337f523933acd3bce2f60346d | Encrypted Cobalt Strike payload – c0000015.log |
| 82bd4273fa76f20d51ca514e1070a3369a89313b | Encrypted Cobalt Strike payload – c0000015.log |
| 091b490500b5f827cc8cde41c9a7f68174d11302 | Decrypted Cobalt Strike payload – c0000015.log |
| 0815277e12d206c5bbb18fd1ade99bf225ede5db | Encrypted Cobalt Strike payload – c0000013.log |
| eed31d16d3673199b34b48fb74278df8ec15ae33 | Malicious mpclient.dll |
| 149.28.137[.]7 | Cobalt Strike C2 |
| 45.32.108[.]54 | IP where the attacker staged the malicious payloads to be downloaded |
| 139.180.184[.]147 | Attacker C2 used to receive data from executed commands |
| info.openjdklab[.]xyz | Domain used by the mpclient.dll |
Read more technical details at official webpage.
