Sentinel Labs researchers discovered that threat actors affiliated with the LockBit 3.0 ransomware operation
have installed Cobalt Strike beacons on compromised systems through the exploitation of the Windows Defender command line tool "MpCmdRun.exe", BleepingComputer
Attackers behind the malicious activity leverage PowerShell to facilitate the installation of a Windows CL utility, as well as DLL and LOG files, according to the Sentinel Labs report. Moreover, they also developed a weaponized version of the "mpclient.dll," which is loaded upon the execution of MpCmdRun.exe and is then placed in a location that would ensure the prompt installation of the malicious DLL. The report also showed that an encrypted Cobalt Strike payload is then loaded and decrypted with the "c0000015.log" file.
Threat actors were also found to achieve initial network compromise through abuse of VMware Horizon Servers vulnerable to Log4j, with the switch to Windows Defender potentially done to evade from detection, noted researchers.