Windows Defender Abused By Lockbit Ransomware for Payload Loading

66
Windows-Defender-Abused-By Lockbit-Ransomware-for-Payload-Loading
Windows-Defender-Abused-By Lockbit-Ransomware-for-Payload-Loading

According to endpoint security company SentinelOne, a LockBit ransomware operator or affiliate has been abusing Windows Defender to decrypt and load Cobalt Strike payloads during attacks.

According to a SentinelOne report from April, threat actors used the legitimate VMware command-line tool “VMwareXferlogs.exe” to side-load the Cobalt Strike payload in a LockBit ransomware attack. The cybersecurity company saw the attacker use a command-line tool connected to Windows Defender in a different attack. In particular, the hackers loaded and decrypted post-exploitation Cobalt Strike payloads using ‘MpCmdRun.exe’. The vulnerability in Log4Shell was exploited to launch the attack against a VMware Horizon Server instance.

Read More: LockBit Ransomware Abuses Windows Defender for Payload Loading

For more such updates follow us on Google News ITsecuritywire News