Blog

Aug 2, 2022

LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload

Posted by in category: cybercrime/malcode

A Sentinel One investigation revealed threat actors (TA) have been abusing the Windows Defender command line tool to decrypt and load Cobalt Strike payloads.

The cybersecurity experts detailed their findings in an advisory last week, in which they said the TA managed to carry out the attacks after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

The attackers reportedly modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code.

Comments are closed.