Researchers at SentinelLabs reported that a LockBit affiliate has begun leveraging the legitimate Windows Defender command line tool “MpCmdRun.exe” in order to decrypt and load Cobalt Strike beacons.
The LockBit attack began as a Log4j exploitation against an out-of-date VMware Horizon server. By modifying the Blast Secure Gateway component of VMware Horizon, the threat actor achieved a PowerShell based web shell for initial access.
The operator then downloaded three malicious files on to the victim host: “mpclient.dll”, “C0000015.log”, and a copy of “MpCmdRun.exe”. Using DLL side-loading techniques, the operator executed the legitimate Windows Defender tool “MpCmdRun.exe” so that the malicious DLL was loaded instead of a legitimate one. Once the malicious DLL is loaded, it decrypts and loads the Cobalt Strike beacon located inside “C0000015.log” to establish persistent Command and Control (C2).