This cookie is set by GDPR Cookie Consent plugin. These cookies ensure basic functionalities and security features of the website, anonymously. Necessary cookies are absolutely essential for the website to function properly. Earlier this year, experts from SentinelOne warned that LockBit operators use the VMwareXferlogs.exe utility (a legitimate VMware virtualization tool to communicate with VMX protocols) to download Cobalt Strike beacons. legitimate local means of downloading Cobalt Strike beacons, successfully bypassing some typical EDR systems and antivirus.”, - said in the message SentinelOne. “Defenders must keep in mind that LockBit operators and their partners are researching and using new tools to ‘live off the land’, i.e. MpCmdRun.exe automatically loads the library and uses it to decode the main part of Cobalt Strike’s active element, which is hidden in the C0000015.log file. The malicious DLL is the mpclient.dll library, which has been modified in a special way. Next, the attackers download a malicious DLL, an encrypted malicious module, and a legitimate tool, MpCmdRun.exe, with a working digital signature from a remote server.
Once infiltrated, the hackers run a series of commands and launch post-exploitation tools, including Meterpreter and PowerShell Empire. Hackers modify the Blast Secure Gateway component by installing a web shell with PowerShell code.
The attackers first compromise VMWare Horizon Server systems that lack a fix for the Log4j vulnerability. However, using Windows Defender is just one step in the hacking scheme. According to reports, attackers use MpCmdRun.exe tool to decrypt and download Cobalt Strike onto victim’s system.
0 kommentar(er)
