Hackers actively leverage LOLBAS (Living-Off-the-Land Binaries-And-Scripts), it’s a popular methodology that is used by threat actors for exploiting legit tools for hiding the illicit actions performed by them.
Since LOLBAS gaining traction at a rapid pace in cyber attacks, so, experts are also actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware.
Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even the researchers opted for the automation approach and found 12 new files in 4 weeks, a 30% rise in known downloaders and executors.
LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cyber-security landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks.
While it is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes.
Apart from this, due to its exceptional capability to evade detection, LOLBAS still remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.
Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts. And here below we have mentioned those two parts:-
- The path of the potential downloader
- A URL to download the file from
While the second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts.
Experts’ automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.
In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
Here’s how the manual approach looks:-
Besides this, this complete process could be automated via two tools and here they are:-
- IDApython: It finds API call cross-references and decompiles.
- ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like:-
- Automating reverse engineering for deeper code insights
- Revealing structure
- Potential issues
Moreover, this complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.