A Sentinel One investigation revealed threat actors (TA) have been abusing the Windows Defender command line tool to decrypt and load Cobalt Strike payloads.
The cybersecurity experts detailed their findings in an advisory last week, in which they said the TA managed to carry out the attacks after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.
The attackers reportedly modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code.
“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools,” the Sentinel One team wrote.
These reportedly included Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike. According to the security researchers, the threat actors downloaded a malicious DLL, the encrypted payload and the legitimate tool all from their controlled C2.
“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” Sentinel One wrote.
Consequently, the security researchers warned that organizations should give careful scrutiny to any tools the organization or the organization’s security software has made exceptions for.
“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” Sentinel One wrote.
More generally, RaaS has grown considerably since the beginning of the COVID-19 pandemic, mostly due to the shift to remote work and the consequent lack of security of home networks and misconfigured VPNs.