top of page
Search

LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

Writer's picture: StormsecStormsec

Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike.




MALWARE FAMILIES: Cobalt Strike, LockBit


ATT&CK IDS: T1140 - Deobfuscate/Decode Files or Information, T1059 - Command and Scripting Interpreter, T1056 - Input Capture, T1190 - Exploit Public-Facing Application, T1059.001 - PowerShell, T1073 - DLL Side-Loading, T1116 - Code Signing


Read More:

3 views

Comments


Commenting has been turned off.
bottom of page