Microsoft Defender Yes used to install malware!

Security firm SentinelOne released news today that should put Microsoft on high alert. The company discovered that Redmond's security application (Microsoft Defender) is being used to load the Cobalt Strike malware onto potential victims.

windows defender hack

The attackers in this case are the administrators of LockBit Ransomware as a Service (RaaS) and they use Microsoft Defender's dedicated command line tool called “mpcmdrun.exe”, among other things, to infect computers.

A SentinelOne blog post describes this new attack:

During a recent investigation, we found that hackers were abusing the Windows Defender command-line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

The attack process works in much the same way as a previous VMware CLI attack. Hackers essentially exploit the vulnerability log4j to download MpCmdRun, the malicious DLL file “mpclient” and the Cobalt Strike encrypted file from the Command-and-Control (C2) server to infect a potential victim's system.

MpCmd.exe is essentially used to side-load a malicious mpclient.dll, which loads and decrypts Cobalt Strike from the c0000015.log file.

The diagram below shows the attack chain:

lockbit defender

Indicators of Compromise

IoC Description
a512215a000d1b21f92dbef5d8d57a420197d262 Malicious glib-2.0.dll
729eb505c36c08860c4408db7be85d707bdcbf1b Malicious glib-2.0.dll
c05216f896b289b9b426e249eae8a091a3358182 Malicious glib-2.0.dll
10039d5e5ee5710a067c58e76cd8200451e54b55 Malicious glib-2.0.dll
ff01473073c5460d1e544f5b17cd25dadf9da513 Malicious glib-2.0.dll
e35a702db47cb11337f523933acd3bce2f60346d Encrypted Cobalt Strike payload – c0000015.log
82bd4273fa76f20d51ca514e1070a3369a89313b Encrypted Cobalt Strike payload – c0000015.log
091b490500b5f827cc8cde41c9a7f68174d11302 Decrypted Cobalt Strike payload – c0000015.log
0815277e12d206c5bbb18fd1ade99bf225ede5db Encrypted Cobalt Strike payload – c0000013.log
eed31d16d3673199b34b48fb74278df8ec15ae33 Malicious mpclient.dll
149.28.137[.]7 Cobalt Strike C2
45.32.108[.]54 IP where the attacker staged the malicious payloads to be downloaded
139.180.184[.]147 Attacker C2 used to receive data from executed commands
info.openjdklab[.]xyz Domain used by the mpclient.dll

Read more technical details at official webpage. The Best Technology Site in Greecefgns

Microsoft Defender, malware, Cobalt Strike, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).