Sunday, February 9, 2025
HomeComputer SecurityAPT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

APT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

Published on

SIEM as a Service

Follow Us on Google News

Earlier time, cybercriminals depend more on the malware files, scripts, VBscripts to achieve their course of action. Modern ay cyber threat actors, depends more on abusing the genuine windows system files and achieve their goal in persistence, defense evasion, lateral movement and more.

In every system, there are Trusted Binaries, Scripts and Library files are available for the purpose of system communications. But cybercriminals use this genuine utility in such a way where the defense systems fail to stop this behavior. These binaries, scripts, and libraries cannot be blocked since they are valid and might leads to system crash if they are deleted.

Attackers can be using these utilities to perform; Code execution, downloading files Bypassing UAC, Compiling code, Process dumping, Keylogging, Log evading, Hijacking of DLL, persistence, pass-through execution.

Motive of abusing LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.

The goal of the attacker in most times, to blend into systems to avoid raising red alarms in SOC and give themselves more time to move laterally in the network, condut actions, steal data. PowerShell and WMI are far from the only trusted applications with the potential for abuse, however recently researchers found more binaries which can be abused for the attack purpose.

“Living off the land” was coined by Matt Graeber & Oddvar Moe and the main intension of this project is to understand what binaries were the attackers abuse to carry out malicious activities.

  • LOLBins – Living Off The Land Binaries
  • LOLScripts – Living Off The Land Scripts
  • LOLLibs – Living Off The Land Libraries
  • GTFOBins – Unix Platform Binaries

Why it is critical?

Security Researcher Pierre-Alexandre Braeken pointed out, “Traditional antivirus or even endpoint detection and response (EDR) products won’t always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network.”

Let’s see an example:

Certutil.exe” is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Attackers POV: Certutil is a great little binary that can download remote files, create certificates, or encode files. Not only can this built-in exe encode a file to base64, It can also encode into hex. When encoding to b64, it includes the certificate header and footer, which one may find convincing.


Conclusion

We are seeing many APT threat actors are using LOLBins for their activity. Mitre ATT&CK already having some functionality details and this project requires more contribution towards finding more new binaries using by threat actors. So the threat hunting teams and the SOC teams should understand the LOLBins and GTFOBins.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...