Hackers are constantly looking for new ways to attack and infect PC users. And, for this, there is nothing better than taking advantage of the programs or services that are installed as standard in the operating system, such as Windows Defender, the most widely used antivirus today. In this way, a group of hackers has found a new way to evade the security of this program and make LockBit 3.0, one of the most dangerous ransomware, hijack all the data on the computer and make it impossible to recover it.
Ransomware is one of the most dangerous and difficult types of malware to detect. When this malware reaches the computer, by whatever means, the first thing it does is install itself in the operating system and find a way to prevent the antivirus from detecting it when it is run. This can be done in various ways, but one of the most interesting, recently discovered, is to take advantage of the use of Cobalt Strike.
Cobalt Strike is a set of tools used in ethical hacking to perform stealthy network analysis, as well as move laterally within a network, find data, encrypt it, and steal it. This tool is legitimate, and antiviruses recognize, detect and block it without any problem. However, the hackers behind this ransomware have found a weakness in the MpCmdRun.exe Windows Defender. Thanks to it, it is possible to download and inject malicious DLLs that inject Cobalt Strike beacons into the system.
The MpCmdRun.exe process is responsible for running scheduled scans on the system. And for that it depends on a library called “mpclient.dll“. Hackers have created a fake library, with the same name, which, by placing it in the path of the original, manages to make Windows Defender run it. And by doing so, it allows the ransomware to remain hidden on the system.
How to protect ourselves
Undetectable malware is becoming more common, especially in attacks on companies. Hackers use science fiction-like techniques to evade all of these measures in order to carry out the most complex computer attacks.
The best thing to protect ourselves from this type of threat is to use common sense. In other words, we must avoid downloading Internet files from dangerous web pages, or anything that reaches us through email. As we have seen, in this specific case they attack a weakness in Windows Defender, so, to protect ourselves, we can replace this antivirus with another, such as Kaspersky or McAfee. Ransomware attacks the most important thing on our PC: files. Therefore, an indirect way to protect ourselves is to make backup copies of them. In this way, in the worst case, if it infects us and steals our data, we will have an escape route. It will suffice to format, to erase all traces of malware, and restore the backup. Of course, we must make sure that it is clean if we want to avoid ending up infected again.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.