- The latest iteration of the notorious RaaS, LockBit 3.0 now uses a legitimate Windows Defender command line tool.
- LockBit 3.0, also known as LockBit Black, implements multiple anti-analysis and anti-debugging routines to improve its attacks.
- After downloading Cobal Strike, the threat actor tried to execute and send the output to the IP starting with 139.
SentinelOne‘s researchers’ recent findings show that the notorious LockBit team is shifting its focus from VMware to Windows. A few months ago, LockBit was targeting VMware command line utility, VMwareXferlogs.exe to sideload Cobalt Strike. The report shows that in the latest iteration of the RaaS, LockBit 3.0, also known as LockBit Black, the team implemented various anti-analysis and anti-debugging routines and now targeting Windows.
Windows Defender command line tool
It exploits the Log4j vulnerability in unpatched VMware Horizon Servers. It modifies the Blast Secure Gateway component, installing a web shell using PowerShell code. After achieving the initial access, it performs enumeration commands and runs post-exploitation tools, such as Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike.
While trying to execute Cobalt Strike, the team detected a new tool used for sideloading a DLL that decrypts the payload. Attackers are also using a legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
SentinelOne also stated that they have discovered the IP address to download the Cobalt Strike payload. After downloading Cobalt Strike, the attackers tried to execute and send the output to an IP address that starts with 130. SentinelOne said;
« Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel “living off the land” tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools.
Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls. »