Security firm SentinelOne released news today that should put Microsoft on high alert. The company discovered that Redmond's security application (Microsoft Defender) is being used to load the Cobalt Strike malware onto potential victims.
Οι υπεύθυνοι της επίθεσης σε αυτήν την περίπτωση είναι οι διαχειριστές του LockBit Ransomware as a Service (RaaS) και χρησιμοποιούν το αποκλειστικό εργαλείο lineMicrosoft Defender command line called “mpcmdrun.exe”, among other things, to infect computers.
A SentinelOne blog post describes this new attack:
During a recent investigation, we found that hackers were abusing its command line tool Windows Defender MpCmdRun.exe για την αποencryption and the loading of Cobalt Strike payloads.
The attack process works in much the same way as a previous VMware CLI attack. Hackers essentially take advantage of it vulnerability log4j to download MpCmdRun, the malicious DLL file “mpclient” and the Cobalt Strike encrypted file from the Command-and-Control (C2) server to infect a potential victim's system.
MpCmd.exe is essentially used to side-load a malicious mpclient.dll, which loads and decrypts Cobalt Strike from the c0000015.log file.
The diagram below shows the chain of the attack:
Indicators of Compromise
IoC | Description |
a512215a000d1b21f92dbef5d8d57a420197d262 | Malicious glib-2.0.dll |
729eb505c36c08860c4408db7be85d707bdcbf1b | Malicious glib-2.0.dll |
c05216f896b289b9b426e249eae8a091a3358182 | Malicious glib-2.0.dll |
10039d5e5ee5710a067c58e76cd8200451e54b55 | Malicious glib-2.0.dll |
ff01473073c5460d1e544f5b17cd25dadf9da513 | Malicious glib-2.0.dll |
e35a702db47cb11337f523933acd3bce2f60346d | Encrypted Cobalt Strike payload – c0000015.log |
82bd4273fa76f20d51ca514e1070a3369a89313b | Encrypted Cobalt Strike payload – c0000015.log |
091b490500b5f827cc8cde41c9a7f68174d11302 | Decrypted Cobalt Strike payload – c0000015.log |
0815277e12d206c5bbb18fd1ade99bf225ede5db | Encrypted Cobalt Strike payload – c0000013.log |
eed31d16d3673199b34b48fb74278df8ec15ae33 | Malicious mpclient.dll |
149.28.137[.]7 | Cobalt Strike C2 |
45.32.108[.]54 | IP where the attacker staged the malicious payloads to be downloaded |
139.180.184[.]147 | Attacker C2 used to receive data from executed commands |
info.openjdklab[.]xyz | Domain used by the mpclient.dll |
Read more technical details at official webpage.