Microsoft Defender Yes used to install malware!

Security firm SentinelOne released news today that should put Microsoft on high alert. The company discovered that Redmond's security application (Microsoft Defender) is being used to load the Cobalt Strike malware onto potential victims.

windows defender hack

Οι υπεύθυνοι της επίθεσης σε αυτήν την περίπτωση είναι οι διαχειριστές του LockBit Ransomware as a Service (RaaS) και χρησιμοποιούν το αποκλειστικό εργαλείο Microsoft Defender command line called “mpcmdrun.exe”, among other things, to infect computers.

A SentinelOne blog post describes this new attack:

During a recent investigation, we found that hackers were abusing its command line tool Defender MpCmdRun.exe για την απο and the loading of Cobalt Strike payloads.

The attack process works in much the same way as a previous VMware CLI attack. Hackers essentially take advantage of it log4j to download MpCmdRun, the malicious DLL file “mpclient” and the Cobalt Strike encrypted file from the Command-and-Control (C2) server to infect a potential victim's system.

MpCmd.exe is essentially used to side-load a malicious mpclient.dll, which loads and decrypts Cobalt Strike from the c0000015.log file.

The diagram below shows the of the attack:

lockbit defender

Indicators of Compromise

IoC Description
a512215a000d1b21f92dbef5d8d57a420197d262 Malicious glib-2.0.dll
729eb505c36c08860c4408db7be85d707bdcbf1b Malicious glib-2.0.dll
c05216f896b289b9b426e249eae8a091a3358182 Malicious glib-2.0.dll
10039d5e5ee5710a067c58e76cd8200451e54b55 Malicious glib-2.0.dll
ff01473073c5460d1e544f5b17cd25dadf9da513 Malicious glib-2.0.dll
e35a702db47cb11337f523933acd3bce2f60346d Encrypted Cobalt Strike payload – c0000015.log
82bd4273fa76f20d51ca514e1070a3369a89313b Encrypted Cobalt Strike payload – c0000015.log
091b490500b5f827cc8cde41c9a7f68174d11302 Decrypted Cobalt Strike payload – c0000015.log
0815277e12d206c5bbb18fd1ade99bf225ede5db Encrypted Cobalt Strike payload – c0000013.log
eed31d16d3673199b34b48fb74278df8ec15ae33 Malicious mpclient.dll
149.28.137[.]7 Cobalt Strike C2
45.32.108[.]54 IP where the attacker staged the malicious payloads to be downloaded
139.180.184[.]147 Attacker C2 used to receive data from executed commands
info.openjdklab[.]xyz Domain used by the mpclient.dll

Read more technical details at official webpage.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Microsoft Defender, malware, Cobalt Strike, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).