Written by: Yiftach Keshet
The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts.
(To learn more about how Cynet can protect from threats using LOLs, click here)
As the name implies, LOLs make use of what they have around them (legitimate system utilities and tools) for malicious purposes. This allows them to blend in with regular network activity and remain hidden. Some capabilities of LOLs are: DLL hijacking, hiding payloads, process dumping, downloading files, bypassing UAC keylogging, code compiling, log evasion, code execution, and persistence.
To be considered a LOL, the binary, library, or script in question must be on the system by default or put on the system by the user. It also needs to have unexpected functionality with the ability to be repurposed, and it must be useful to an attacker. These different LOL characteristics are an asset to malware creators, as LOLs seem benign at first and run undetected by standard AV tools.
Until recently, LOL techniques were used in the context of post-compromise activities, where attackers leveraged legitimate admin tools such as Powershell, Windows Management Instrumentation (WMI), CMD, Psxec.exe, and others to perform reconnaissance and lateral movement. But, over the last few years, LOLBins have become popular among malware authors as part of their initial compromise payload.
Using LOLBins in attacks is clearly beneficial to attackers. To illustrate, in November 2018, a hacking group called TA505 conducted a targeted phishing campaign against large financial institutions. The group used LOLBins extensively to carry out malicious activities such as payload delivery, and to deliver the malware payload with extra stealthiness. The attackers went to great lengths to hide their tracks, indicating a very sophisticated attack. And, in general, detecting malware of this nature is very difficult.
Fileless malware is a type of malware that exists as a memory-based artifact only, with no—or, at least, very little—activity being written to the hard drive. The fact that fileless attacks don’t install malicious software makes it very difficult for typical AV tools to detect. In a sense, this makes fileless malware more complex to tackle than other variants, but since it doesn’t write anything to disk, once the system is rebooted, it disappears.
Fileless malware has been in use since the early 2000s: early variants were Frodo, Code Red, and SQL Slammer Worm. Frodo was bothersome, but not damaging. It displayed the message “Frodo Lives” on infected computers once a year—on September 22, the birthday of Frodo Baggins, a character in J.R.R. Tolkein’s book, “The Hobbit”. Code Red, which surfaced in 2001, and 2003’s Slammer, were both far more threatening. They caused widespread damage, hitting government agencies and corporations hard.
For reasons unknown, fileless malware attackers laid low until 2012, when a banking trojan named Lurk was discovered by researchers from Kaspersky. While it was not the most sophisticated trojan in terms of code, it was notable in its ability to evade detection, thanks to the fact that it was fileless.
Since then, fileless malware has become a relatively common exploit method, playing major roles in the massive Equifax breach of 2017 and the hacking of the Democratic National Committee in 2016, among other attacks.
As with all malware, once one antivirus firm blacklists a file, the jig is up. This means that malware authors have to keep improving their software to remain undetected. Today, fileless attacks often (but not always) incorporate LOL techniques because they operate without writing files onto disk or on the file system, which helps them remain undetected for longer.
Below are some prominent malware incidents in which malware creators used LOLBin techniques in fileless attacks:
2017’s major fileless malware, dubbed POSHSPY, used WMI processes to obtain persistence and used Powershell for the payload. LOLBins helped the attackers create a highly stealthy backdoor that could be deployed along with other, more traditional backdoors, which allowed them to maintain persistence.
Again in 2017, APT34, also known as Helix Kitten and OilRig, used LOLBin techniques to remain undetected in their fileless POWRUNER backdoor attacks. It has long been suspected that APT34 is of Iranian origin, and that it has targeted telecom, energy, and government agencies. It often uses Microsoft Excel macros and Powershell to obtain access to targets.
Perhaps most notable is the Astaroth fileless trojan attack, which has been spreading since early 2018. It targets users across Europe and Brazil, can intercept OS calls, and monitors clip bards to steal data. It also features keylogging capabilities. As for its LOL component, it abuses the WMI command line to download and install malware without arousing suspicion. The stolen credentials allow attackers to move across networks to conduct other, more damaging attacks unnoticed.
As illustrated above, the combination of fileless malware and LOLBin techniques makes for a formidable threat. Security experts posit that we will see a great deal more of this method in the future, as the use of legitimate files helps malware remain undetected unless proper defense methods are taken.
LOLBins are a sophisticated threat and detecting them requires advanced tools. Cynet 360 applies a multilayered defense against running malware, fusing multiple sensors to pinpoint malicious behavior. By monitoring the process behavior, it identifies the anomalies that typically occur while invoking Windows binaries for malicious context. As Cynet 360 encounters LOLBin attacks in increasing volume, it deepens its knowledge of the attacks’ execution patterns to enhance its efficiency and accuracy.
Learn more about Cynet 360’s malware protection here.