top of page

LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike.

MALWARE FAMILIES: Cobalt Strike, LockBit

ATT&CK IDS: T1140 - Deobfuscate/Decode Files or Information, T1059 - Command and Scripting Interpreter, T1056 - Input Capture, T1190 - Exploit Public-Facing Application, T1059.001 - PowerShell, T1073 - DLL Side-Loading, T1116 - Code Signing

Read More:



Commenting has been turned off.
bottom of page