Yanzu ana amfani da raunin Log4j don tura tashoshi na Cobalt Strike ta hanyar kayan aikin layin umarni na Windows Defender, masu bincike sun gano.
Masu binciken tsaro ta yanar gizo daga Sentinel Labs kwanan nan sun hango wata sabuwar hanya, wanda wani ɗan wasan barazanar da ba a san shi ya yi aiki ba, tare da ƙarshen wasan shine tura LockBit 3.0 ransomware.
Yana aiki kamar haka: ɗan wasan barazanar zai yi amfani da log4shell (kamar yadda ake yiwa Log4j sifili-rana) don samun damar zuwa ƙarshen maƙasudi, da samun gatan mai amfani da suka dace. Da zarar hakan ya fita, za su yi amfani da PowerShell don zazzage fayiloli daban-daban guda uku: Fayil mai amfani na Windows CL (tsabta), fayil ɗin DLL (mpclient.dll), da fayil ɗin LOG (ainihin tambarin Cobalt Strike).
Cobalt Strike mai ɗaukar gefe
Daga nan za su gudanar da MpCmdRun.exe, mai amfani da layin umarni wanda ke yin ayyuka daban-daban na Microsoft Defender. Wannan shirin yawanci yana loda halaltaccen fayil na DLL - mpclient.dll, wanda yake buƙatar gudanar da shi daidai. Amma a cikin wannan misali, shirin zai ɗora nauyin DLL mai cutarwa mai suna iri ɗaya, wanda aka sauke tare da shirin.
Wannan DLL zai sami nauyin fayil ɗin LOG kuma ya ɓoye ɓoyayyen kayan aikin Cobalt Strike.
Hanya ce da aka sani da lodin gefe.
Yawancin lokaci, wannan haɗin gwiwar LockBit ya yi amfani da kayan aikin layin umarni na VMware don ɗaukar tashoshi na Cobalt Strike, BleepingComputer ya ce, don haka sauyawa zuwa Windows Defender ya ɗan bambanta. Littafin ya yi hasashen canjin da aka yi don ketare kariyar da VMware ya gabatar kwanan nan. Har yanzu, yin amfani da kayan aikin rayuwa-ba-da-kasa don gujewa gano ta riga-kafi (yana buɗewa a sabon shafin) ko malware (yana buɗewa a sabon shafin) sabis na kariya ya kasance "na kowa" a kwanakin nan, littafin ya ƙare, yana mai kira ga 'yan kasuwa da su bincika matakan tsaro kuma su yi taka tsantsan tare da bin diddigin yadda ake amfani da halalcin zartarwa (ab).
Ko da yake Cobalt Strike shine ingantaccen kayan aiki, ana amfani da shi don gwajin shiga, ya yi girma sosai saboda masu yin barazana a ko'ina suke cin zarafi. Ya zo tare da ɗimbin fasalulluka waɗanda masu aikata laifukan yanar gizo za su iya amfani da su don zayyana hanyar sadarwar da aka yi niyya, ba a gano su ba, da kuma motsawa ta gefe a cikin wuraren ƙarshe, yayin da suke shirin satar bayanai da tura kayan fansa.
via: BleepingComputer (yana buɗewa a sabon shafin)