Friday, November 1, 2024
HomeComputer SecurityAPT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

APT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

Published on

Malware protection

Earlier time, cybercriminals depend more on the malware files, scripts, VBscripts to achieve their course of action. Modern ay cyber threat actors, depends more on abusing the genuine windows system files and achieve their goal in persistence, defense evasion, lateral movement and more.

In every system, there are Trusted Binaries, Scripts and Library files are available for the purpose of system communications. But cybercriminals use this genuine utility in such a way where the defense systems fail to stop this behavior. These binaries, scripts, and libraries cannot be blocked since they are valid and might leads to system crash if they are deleted.

Attackers can be using these utilities to perform; Code execution, downloading files Bypassing UAC, Compiling code, Process dumping, Keylogging, Log evading, Hijacking of DLL, persistence, pass-through execution.

- Advertisement - SIEM as a Service

Motive of abusing LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.

The goal of the attacker in most times, to blend into systems to avoid raising red alarms in SOC and give themselves more time to move laterally in the network, condut actions, steal data. PowerShell and WMI are far from the only trusted applications with the potential for abuse, however recently researchers found more binaries which can be abused for the attack purpose.

“Living off the land” was coined by Matt Graeber & Oddvar Moe and the main intension of this project is to understand what binaries were the attackers abuse to carry out malicious activities.

  • LOLBins – Living Off The Land Binaries
  • LOLScripts – Living Off The Land Scripts
  • LOLLibs – Living Off The Land Libraries
  • GTFOBins – Unix Platform Binaries

Why it is critical?

Security Researcher Pierre-Alexandre Braeken pointed out, “Traditional antivirus or even endpoint detection and response (EDR) products won’t always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network.”

Let’s see an example:

Certutil.exe” is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Attackers POV: Certutil is a great little binary that can download remote files, create certificates, or encode files. Not only can this built-in exe encode a file to base64, It can also encode into hex. When encoding to b64, it includes the certificate header and footer, which one may find convincing.


Conclusion

We are seeing many APT threat actors are using LOLBins for their activity. Mitre ATT&CK already having some functionality details and this project requires more contribution towards finding more new binaries using by threat actors. So the threat hunting teams and the SOC teams should understand the LOLBins and GTFOBins.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...