Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike.
TAGS: cobalt strike, lockbit
MALWARE FAMILIES: Cobalt Strike, LockBit
ATT&CK IDS: T1140 - Deobfuscate/Decode Files or Information, T1059 - Command and Scripting Interpreter, T1056 - Input Capture, T1190 - Exploit Public-Facing Application, T1059.001 - PowerShell, T1073 - DLL Side-Loading, T1116 - Code Signing
Read More:
Comments