Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike.
Typically, Cobalt Strike is delivered to a potential victim machine as a payload via malicious binaries that are run through PowerShell scripts. In April, it was observed LockBits' use of VMwareXferlogs.exe to load Cobalt Strike on a user's machine in the form of an Autorun.inf file. Upon execution of the malicious binary, it would wipe the current host's master boot record (MBR) and launch VMwareXferlogs.exe which in turn launched Cobalt Strike within VMware Workstation or Fusion (or Player).
LockBit also recently began using the open-source tool, WinAppDeployCmd.exe to side load Cobalt Strike on a potential victim machine. WinAppDeployCmd is a PowerShell script which can be used to silently install multiple applications and runs within the context of powershell.exe, one of which being Cobalt Strike.
Last week, SentinelLabs Threat Research observed a LockBit affiliate delivering Cobalt Strike via a Microsoft Security Scanner that was hosted on the LockBit Command & Control server. From this experience, we can conclude that LockBits have found an effective way to distribute their BITSAdmin payload while maintaining an immediate connection with the BITSAdmin resource they need to operate in order to install and maintain their malware payloads.