Ransomware Gang Takes Advantage of Open Defender to Install Malware

A chain of compromise involving the well-known Log4J flaw and an opening in the Microsoft Defender command-line system is used by a ransomware gang to establish entry vectors into compromised machines. The LockBit group focuses, as always, on intruding into corporate networks to install ransomware that locks computers and steals data for extortion purposes.

In this case, there is a combination of tactics to avoid detection by security software, which also includes Microsoft Defender itself. From VMWare Horizon servers not yet updated to patch Log4J flaws, criminals can elevate their own privileges on a compromised device to execute PowerShell codes, allowing them to elevate users’ privileges and open files. access to other operating system resources, as well as downloading malicious files from control servers.

This is where the misuse of a Defender code execution tool, MpCmdRun.exe, which is used for parallel loading of a contaminated DLL, occurs. The downloaded version fakes the filename and even information from Microsoft itself, but is malicious, serving to load Cobalt Strike beacons that establish permanence on infected computers and can then be used to carry out attacks.

The alert about the new attack vector was raised by security firm Sentinal Labs, which cites this as a new offensive path for the LockBit group. Criminals originally used the Log4J flaw directly to infiltrate compromised networks, but awareness of the flaw can begin to compromise the rate of successful attacks, prompting crooks to explore new avenues.

The attack uses a compromised version of the legitimate DLL, used by Microsoft Defender in command line actions; The Log4J flaw is also exploited in the chain of compromise (Image: Reproduction/Sentinel Labs)

The new tactic is based on “living off the ground” attacks, which are categorized by the use of legitimate software and systems, in this case, Microsoft Defender. The idea is to increase the stealth capability of attacks, while providing persistence on compromised systems to carry out subsequent attacks or sell access to interested third parties.

The LockBit group is one of the best known and most dangerous in the current ransomware landscape. Enter global names like Accenture and government agencies from countries like Italy and the UK is Brazil. This way, Atento became one of the main victims of the gangour country also being the third country most affected by the attacks of the gang.

Indicators of compromise and other technical details about this attack are available in the alert issued by Sentinel Labs. Experts recommend monitoring all types of software available on a company’s network, especially software that would normally slip beyond scrutiny, such as security tools.

Source: Sentinel laboratories

Leave a Comment