LockBit operators have been observed abusing legitimate security tools to load Cobalt Strike beacons, deploying a living-off-the-land approach to evade defenses. The campaign pivots on using MpCmdRun.exe to decrypt and load a weaponized DLL, following prior side-loading using VMwareXferlogs.exe, after initial access via a Log4j vulnerability in VMware Horizon Server.
#LockBit #LockBitBlack #CobaltStrike #MpCmdRun #WindowsDefender #VMwareHorizon #Log4j
#LockBit #LockBitBlack #CobaltStrike #MpCmdRun #WindowsDefender #VMwareHorizon #Log4j
Keypoints
- The initial compromise occurred via the Log4j vulnerability in an unpatched VMware Horizon Server, leading to a web shell installation.
- Threat actors performed PowerShell-based reconnaissance and exfiltration, including sending command output to an external IP.
- Malicious payloads were downloaded from C2 infrastructure, including a weaponized mpclient.dll and an encrypted Cobalt Strike beacon (c0000015.log).
- MpCmdRun.exe, a legitimate Windows Defender tool, was abused to decrypt and load the Cobalt Strike beacon, enabling covert execution.
- DLL side-loading techniques were used to load the weaponized mpclient.dll and decrypt the Cobalt Strike payload.
- Defenses were evaded by removing EDR/EPP userland hooks and interfering with Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI).
- Indicators of Compromise (IOCs) include DLL hashes, payload logs, IPs, and domains linked to C2 and staging activity.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server. ‘The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server.’
- [T1059.001] PowerShell – Reconnaissance and command execution conducted through PowerShell, including base64-encoded data exfiltration. ‘reconnaissance began using PowerShell to execute commands and exfiltrate the command output via a POST base64 encoded request to an IP.’
- [T1105] Ingress Tool Transfer – Downloads of mpclient.dll, c0000015.log, and MpCmdRun.exe from C2 to staging and execution locations. ‘The threat actor downloads a malicious DLL, the encrypted payload and the legitimate tool from their controlled C2.’
- [T1574.001] DLL Side-Loading – MpCmdRun.exe is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon. ‘Following the same flow as the sideloading of the VMwareXferlogs.exe utility reported on previously, MpCmd.exe is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.’
- [T1562.001] Disable or Modify Tools – Defenses evaded by removing EDR/EPP hooks and tampering with ETW and AMSI. ‘to evade defenses by removing EDR/EPP’s userland hooks, Event Tracing for Windows and Antimalware Scan Interface were also observed.’
- [T1041] Exfiltration Over C2 Channel – Command output exfiltrated via POST requests to a remote IP. ‘exfiltrate the command output via a POST base64 encoded request to an IP.’
Indicators of Compromise
- [File hash] Malicious glib-2.0.dll – a512215a000d1b21f92dbef5d8d57a420197d262, 729eb505c36c08860c4408db7be85d707bdcbf1b and 2 more hashes
- [File hash] Encrypted Cobalt Strike payload – c0000015.log – e35a702db47cb11337f523933acd3bce2f60346d, 82bd4273fa76f20d51ca514e1070a3369a89313b
- [File hash] Decrypted Cobalt Strike payload – c0000015.log – 091b490500b5f827cc8cde41c9a7f68174d11302
- [File hash] Encrypted Cobalt Strike payload – c0000013.log – 0815277e12d206c5bbb18fd1ade99bf225ede5db
- [File hash] Malicious mpclient.dll – eed31d16d3673199b34b48fb74278df8ec15ae33
- [IP] 149.28.137.7 – Cobalt Strike C2
- [IP] 45.32.108.54 – IP where the attacker staged the malicious payloads to be downloaded
- [IP] 139.180.184.147 – Attacker C2 used to receive data from executed commands
- [Domain] info.openjdklab.xyz – Domain used by the mpclient.dll
- [File name] VMwareXferlogs.exe – used for prior sideloading of a legitimate tool