According to endpoint security company SentinelOne, a LockBit ransomware operator or affiliate has been abusing Windows Defender to decrypt and load Cobalt Strike payloads during attacks.
According to a SentinelOne report from April, threat actors used the legitimate VMware command-line tool “VMwareXferlogs.exe” to side-load the Cobalt Strike payload in a LockBit ransomware attack. The cybersecurity company saw the attacker use a command-line tool connected to Windows Defender in a different attack. In particular, the hackers loaded and decrypted post-exploitation Cobalt Strike payloads using ‘MpCmdRun.exe’. The vulnerability in Log4Shell was exploited to launch the attack against a VMware Horizon Server instance.
Read More: LockBit Ransomware Abuses Windows Defender for Payload Loading
For more such updates follow us on Google News ITsecuritywire News
