Sunday, September 8, 2024
HomeComputer SecurityAPT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

APT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem

Published on

Earlier time, cybercriminals depend more on the malware files, scripts, VBscripts to achieve their course of action. Modern ay cyber threat actors, depends more on abusing the genuine windows system files and achieve their goal in persistence, defense evasion, lateral movement and more.

In every system, there are Trusted Binaries, Scripts and Library files are available for the purpose of system communications. But cybercriminals use this genuine utility in such a way where the defense systems fail to stop this behavior. These binaries, scripts, and libraries cannot be blocked since they are valid and might leads to system crash if they are deleted.

Attackers can be using these utilities to perform; Code execution, downloading files Bypassing UAC, Compiling code, Process dumping, Keylogging, Log evading, Hijacking of DLL, persistence, pass-through execution.

- Advertisement - EHA

Motive of abusing LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.

The goal of the attacker in most times, to blend into systems to avoid raising red alarms in SOC and give themselves more time to move laterally in the network, condut actions, steal data. PowerShell and WMI are far from the only trusted applications with the potential for abuse, however recently researchers found more binaries which can be abused for the attack purpose.

“Living off the land” was coined by Matt Graeber & Oddvar Moe and the main intension of this project is to understand what binaries were the attackers abuse to carry out malicious activities.

  • LOLBins – Living Off The Land Binaries
  • LOLScripts – Living Off The Land Scripts
  • LOLLibs – Living Off The Land Libraries
  • GTFOBins – Unix Platform Binaries

Why it is critical?

Security Researcher Pierre-Alexandre Braeken pointed out, “Traditional antivirus or even endpoint detection and response (EDR) products won’t always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network.”

Let’s see an example:

Certutil.exe” is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Attackers POV: Certutil is a great little binary that can download remote files, create certificates, or encode files. Not only can this built-in exe encode a file to base64, It can also encode into hex. When encoding to b64, it includes the certificate header and footer, which one may find convincing.


Conclusion

We are seeing many APT threat actors are using LOLBins for their activity. Mitre ATT&CK already having some functionality details and this project requires more contribution towards finding more new binaries using by threat actors. So the threat hunting teams and the SOC teams should understand the LOLBins and GTFOBins.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...