Microsoft Windows Defender hacked to deploy this dangerous ransomware

Microsoft Windows Defender hacked: The security program Windows Defender is being exploited in order to side-load LockBit 3.0. Researchers have discovered that vulnerabilities in Log4j are now being exploited through the use of the command line tool for Windows Defender to deploy Cobalt Strike beacons.

Microsoft Windows Defender hacked

Researchers from Sentinel Labs, who specialises in information security, have recently uncovered a new technique that was used by an unidentified threat actor and had as its ultimate goal the distribution of the LockBit 3.0 ransomware.

The threat actor would exploit log4shell, which is the nickname given to the Log4j zero-day vulnerability, to get access to a target endpoint and achieve the appropriate user privileges. This is how it would operate. After that step has been completed, they will utilize PowerShell to download three distinct files: a Windows CL utility file (clean), a DLL file (mpclient.dll), and a LOG file (the actual Cobalt Strike beacon).

Cobalt Strike with Side Loading

After that, they would start MpCmdRun.exe, which is a command-line application for Microsoft Defender that performs a variety of different functions. That application would, in most cases, load a valid DLL file known as mpclient.dll, which is a prerequisite for it to successfully execute. In this particular scenario, however, the program would load a malicious DLL with the same name as the legitimate one that was downloaded along with the program.

A loaded and encrypted Cobalt Strike payload will be decrypted by that DLL after it has been loaded. The technique in question is known as side-loading.

According to BleepingComputer, this LockBit affiliate has traditionally used VMware’s command line tools to side-load Cobalt Strike beacons. As a result, the transition to using Windows Defender is a bit unexpected. The magazine hypothesizes that the adjustment was made in order to circumvent the targeted defenses that VMware only very recently implemented.

Still, the use of living-off-the-land tools to avoid being detected by antivirus(opens in new tab) or malware(opens in new tab) protection services is “extremely common” these days, the publication concludes. As a result, the publication urges businesses to check their security controls and be vigilant in tracking how legitimate executables are being (ab)used.

Even though Cobalt Strike is a genuine tool that’s used for penetration testing, it’s gained quite a bit of notoriety since threat actors all around the world are abusing it in inappropriate ways. It comes with a comprehensive range of features that cybercriminals can use to map out the target network unnoticed and move laterally across endpoints as they prepare to steal data and spread ransomware. These capabilities are included in the product.


  1. Why companies are safer when they combine API protection with identity access controls
  2. Advanced Micro Devices, Review of the AMD Ryzen 7 5800X3D
  3. MacBook Air, iPad Pro: News Appleā€™s MacBook Pro
  4. Pebble Orion Spectra Smartwatches: Specification, Availability
  5. IPhone XR wallet cases and covers- Review-Information

Leave a Comment