Hackers are constantly looking for new ways to attack and infect PC users. And, for this, there is nothing better than taking advantage of the programs or services that are installed as standard in the operating system, such as Windows Defender, the most widely used antivirus today. In this way, a group of hackers has found a new way to evade the security of this program and make it LockBit 3.0one of the most dangerous ransomware, hijacks all the data on the computer and makes it impossible to recover it.
Ransomware is one of the most dangerous and difficult types of malware to detect. When this malware reaches the computer, by whatever means, the first thing it does is install itself in the operating system and find a way to prevent the antivirus from detecting it when it runs. This can be achieved in several ways, but one of the most interesting, recently discovered, is to take advantage of the use of Cobalt Strike.
Cobalt Strike is a set of tools used in ethical hacking to perform stealthy network analysis, as well as move laterally within a network, find data, encrypt it, and steal it. This tool is legitimate, and antiviruses recognize, detect and block it without any problem. However, the hackers behind this ransomware have found a weakness in the process MpCmdRun.exe of Windows Defender. Thanks to it, it is possible to download and inject malicious DLLs that inject Cobalt Strike beacons into the system.
The MpCmdRun.exe process is responsible for running scheduled scans on the system. And for that it depends on a library called «mpclient.dll«. Hackers have created a fake library, with the same name, which, by placing it in the path of the original, manages to make Windows Defender run it. And by doing so, it allows the ransomware to remain hidden on the system.
How to protect ourselves
Undetectable malware is becoming more common, especially in business attacks. Hackers use science fiction-like techniques to evade all of these measures in order to carry out the most complex computer attacks.
The best thing to protect ourselves from this type of threat is to use common sense. In other words, we must avoid downloading Internet files from dangerous web pages, or anything that reaches us through email. As we have seen, in this specific case they attack a weakness in Windows Defender, so, to protect ourselves, we can replace this antivirus with another, such as Kaspersky or McAfee.
Ransomware attacks the most important thing on our PC: files. Therefore, an indirect way to protect ourselves is backup them. In this way, in the worst case, if it infects us and steals our data, we will have an escape route. It will suffice to format, to erase all traces of malware, and restore the backup. Of course, we must make sure that it is clean if we want to avoid ending up infected again.