Living-off-the Land Binaries (LOLBins) are no joke; These system utility tools have become a new favorite attack channel for threat actors to hide their malicious activity from security solutions. Since these tools are by their nature trusted, they tend to bypass the scrutiny of many antiviruses and other security platforms.
Windows LOLBins are the most targeted
- According to Threatpost, Windows has a large number of utilities that are targeted by threat actors.
- For instance, the utilities Regsvr32.ex and Rundll.exe have seen a spike in abuse levels, with both being used extensively to distribute QBot and IceID trojan last year.
- Similarly, there has been an uptick in the exploitation of Microsoft Equation Editor (EE) vulnerability in the EQNEDT32.exe Windows utility that enables attackers to spread Loki and Agent Tesla malware samples.
- There has also been a rise in the abuse of Mshta.exe Windows utility that allowed cybercriminals to propagate TrickBot trojan last year.
- Apart from the abuse of Windows system utilities, cybercriminals also targeted several macOS and Linux utilities to deploy a wide range of malware such as Shlayer, Kinsing cryptocurrency miner, and Mirai botnet.
A peek at the recent attacks
- State-sponsored Iranian hacking group MuddyWater managed to pivot an attack campaign against Turkish organizations by leveraging the LOLBins to hijack systems.
- Once inside a targeted system, the attackers stole intellectual properties before deploying ransomware to disrupt the operations.
- A new Lazarus attack campaign dubbed LolZarus had also incorporated LOLBins in their infection chain process to target applicants seeking jobs at Lockheed Martin.
- The attackers used two phishing documents named ‘Lockheed_Martin_JobOpportunities.docx’ and ‘Salary_Lockheed_Martin_job_opportunities_confidential.doc’ to deploy malicious macros.
What does this indicate?
LOLBins are becoming an attractive approach for cybercriminals to get around certain security restrictions. Until recently, these techniques were used in the context of post-compromise activities, where attackers leveraged legitimate admin tools such as WMI, Powershell, and CMD to perform reconnaissance and lateral movement. But, over the last few years, LOLBins have become popular among malware authors as part of their initial compromise payload.
Conclusion
As the abuse of LOLBins increases, companies of all sizes should act now to keep their networks and endpoint safe to ward off stealthy malware threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_465668897.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0710_shutterstock_1889114455_1.jpg)
