Achieved 100% detection in 2023
Stop advanced cyber
threats with one solution
Cynet’s All-In-One Security Platform
- Full-Featured EDR and NGAV
- Anti-Ransomware & Threat Hunting
- 24/7 Managed Detection and Response
What Are LOLBins and How Do Attackers Use Them in Fileless Attacks?
August 17, 2020
Last Updated:
November 20, 2024
Share on:
Written by: Yiftach Keshet
What Is “Living off the Land?”
The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts.
(To learn more about how Cynet can protect from threats using LOLs, click here)
As the name implies, LOLs make use of what they have around them (legitimate system utilities and tools) for malicious purposes. This allows them to blend in with regular network activity and remain hidden. Some capabilities of LOLs are: DLL hijacking, hiding payloads, process dumping, downloading files, bypassing UAC keylogging, code compiling, log evasion, code execution, and persistence.
To be considered a LOL, the binary, library, or script in question must be on the system by default or put on the system by the user. It also needs to have unexpected functionality with the ability to be repurposed, and it must be useful to an attacker. These different LOL characteristics are an asset to malware creators, as LOLs seem benign at first and run undetected by standard AV tools.
This is part of an extensive series of guides about Network Attacks
The Evolution of LOLs
Until recently, LOL techniques were used in the context of post-compromise activities, where attackers leveraged legitimate admin tools such as Powershell, Windows Management Instrumentation (WMI), CMD, Psxec.exe, and others to perform reconnaissance and lateral movement. But, over the last few years, LOLBins have become popular among malware authors as part of their initial compromise payload.
Using LOLBins in attacks is clearly beneficial to attackers. To illustrate, in November 2018, a hacking group called TA505 conducted a targeted phishing campaign against large financial institutions. The group used LOLBins extensively to carry out malicious activities such as payload delivery, and to deliver the malware payload with extra stealthiness. The attackers went to great lengths to hide their tracks, indicating a very sophisticated attack. And, in general, detecting malware of this nature is very difficult.
Stop advanced cyber
Rated 4.8/5
2024 Leader
Major Fileless Malware Attacks
Fileless malware is a type of malware that exists as a memory-based artifact only, with no—or, at least, very little—activity being written to the hard drive. The fact that fileless attacks don’t install malicious software makes it very difficult for typical AV tools to detect. In a sense, this makes fileless malware more complex to tackle than other variants, but since it doesn’t write anything to disk, once the system is rebooted, it disappears.
Fileless malware has been in use since the early 2000s: early variants were Frodo, Code Red, and SQL Slammer Worm. Frodo was bothersome, but not damaging. It displayed the message “Frodo Lives” on infected computers once a year—on September 22, the birthday of Frodo Baggins, a character in J.R.R. Tolkein’s book, “The Hobbit”. Code Red, which surfaced in 2001, and 2003’s Slammer, were both far more threatening. They caused widespread damage, hitting government agencies and corporations hard.
For reasons unknown, fileless malware attackers laid low until 2012, when a banking trojan named Lurk was discovered by researchers from Kaspersky. While it was not the most sophisticated trojan in terms of code, it was notable in its ability to evade detection, thanks to the fact that it was fileless.
Since then, fileless malware has become a relatively common exploit method, playing major roles in the massive Equifax breach of 2017 and the hacking of the Democratic National Committee in 2016, among other attacks.
Tips From the Expert
In my experience, here are tips that can help you better defend against “Living off the Land” (LOL) techniques used in fileless malware attacks:
- Comprehensive Logging and Monitoring: Enable detailed logging for PowerShell, WMI, and other relevant activities. Correlate logs to identify suspicious behavior and detect LOL techniques like POWRUNER and Astaroth.
- Restrict and Monitor System Tools: Use AppLocker or WDAC to restrict the execution of non-standard binaries (LOLBins) like certutil.exe, mshta.exe, and rundll32.exe. Monitor for unusual usage of these tools and flag suspicious activity.
- Behavior-Based Detection and Anomaly Analysis: Employ behavioral analytics to detect LOLBin abuse and identify unusual or unauthorized processes. This helps identify malicious activity that might bypass traditional signature-based detection.
- Just Enough Administration (JEA): Implement JEA to limit the actions users can perform with administrative privileges, reducing the risk of adversaries using LOL techniques to execute malicious code.
- EDR with Memory-Based Detection: Deploy EDR solutions that can identify malware directly in memory. This is crucial for detecting fileless malware that leaves minimal disk traces. Ensure your EDR scans for suspicious in-memory behaviors and tracks system utilities.
LOLBins and Fileless Malware: More Effective Together
As with all malware, once one antivirus firm blacklists a file, the jig is up. This means that malware authors have to keep improving their software to remain undetected. Today, fileless attacks often (but not always) incorporate LOL techniques because they operate without writing files onto disk or on the file system, which helps them remain undetected for longer.
Below are some prominent malware incidents in which malware creators used LOLBin techniques in fileless attacks:
POSHSPY
2017’s major fileless malware, dubbed POSHSPY, used WMI processes to obtain persistence and used Powershell for the payload. LOLBins helped the attackers create a highly stealthy backdoor that could be deployed along with other, more traditional backdoors, which allowed them to maintain persistence.
POWRUNER
Again in 2017, APT34, also known as Helix Kitten and OilRig, used LOLBin techniques to remain undetected in their fileless POWRUNER backdoor attacks. It has long been suspected that APT34 is of Iranian origin, and that it has targeted telecom, energy, and government agencies. It often uses Microsoft Excel macros and Powershell to obtain access to targets.
Stop advanced cyber
threats with one solution
Cynet’s All-In-One Security Platform
- Full-Featured EDR and NGAV
- Anti-Ransomware & Threat Hunting
- 24/7 Managed Detection and Response
Achieved 100% detection in 2023
Rated 4.8/5
2024 Leader
Astaroth
Perhaps most notable is the Astaroth fileless trojan attack, which has been spreading since early 2018. It targets users across Europe and Brazil, can intercept OS calls, and monitors clip bards to steal data. It also features keylogging capabilities. As for its LOL component, it abuses the WMI command line to download and install malware without arousing suspicion. The stolen credentials allow attackers to move across networks to conduct other, more damaging attacks unnoticed.
