Cobalt Strike payload is being deployed by LockBit ransomware by exploiting Windows Defender

LockBit ransomware is exploiting windows defender to spread Cobalt Strike payload.

Windows Defender command-line tool is being abused by a threat actor associated with the LockBit ransomware-as-a-service (RaaS) operation.

Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike.

This is the first-ever bug bounty for a RaaS program including an advance search feature to search for targeted files and folders.

In the incident analysis, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

NPAV recommends users to not be entirely dependent on Windows defender for the security of their systems and servers. Install NPAV on your devices to keep them safe and secure from all kinds of cyber attacks.

Use NPAV and join us on a mission to secure the cyber world.