In recent years, malware and its various forms (including ransomware) have become more and more subtle and complex. The same goes up: it can fly under the radar of cybersecurity software.
One of the main reasons why it is so difficult to detect and eliminate malware is the rise of an attack method called “Living Off the Ground” (LotL). Although reminiscent of urban agriculture or sustainable pastoral scenery, the term refers to a set of technologies that are usually executed in shell code or scripts running in memory.
Attackers “living on land” use the system’s own tools and utilities to conduct malicious activities. These attacks do not use easily detectable malicious files. Attackers can hide in the computer or network to avoid being detected by security tools.
Even if an attack is discovered, the binary files used are extremely difficult to eradicate. Therefore, LotL attacks are particularly dangerous for victims.
Living on the land: a brief history
The concept of using fileless malware or malware that relies on legitimate programs for attacks first appeared at the beginning of this century. Early examples of this approach include malware named Frodo, Code Red, and SQL Slammer Worm. However, these payloads are not so much a real threat as a nuisance. Then, in 2012, a banking Trojan named Lurk appeared. Although it is not very complicated, it shows the potential of LotL.
In 2013, security researchers Christopher Campbell and Matt Greaber coined the LotL term to describe malware that hides in the system and uses legitimate tools and utilities to cause damage. In the past few years, the scope and sophistication of these attacks have continued to increase. In fact, as security companies become more adept at identifying malicious files and blacklisting them, fileless attacks have become mainstream.
How does living on land work?
In LotL attacks, the attacker uses legitimate tools and utilities in the system. This may include PowerShell scripts, Visual Basic scripts, WMI, PSExec, and Mimikatz. The attack exploits the functionality of the system and hijacks it for malicious purposes. It may include strategies such as DLL hijacking, hidden payload, process dumping, downloading files, bypassing UAC keylogging, code compilation, log evasion, code execution, and persistence.
Cybercriminals use different methods and release different types of malware that fall into the general category of LotL. In many cases, they will use tools such as Poshspy, Powruner, and Astaroth that use LOLBins and fileless technologies to evade detection. Most attacks involve Windows binaries that mask malicious activity; however, LotL attacks also affect macOS, Linux, Android, and cloud services.
The reason this method is so effective is because the functions provided by resources such as PowerShell and Windows Scripting Host (WScript.exe) far exceed the needs of most organizations-and many of these functions do not close or delete an organization’s Claim. According to GitHub, overall, more than 100 Windows binary tools are at serious risk.
What is the LotL attack like?
Once attackers have compromised legitimate tools (such as PowerShell), they can use other legitimate processes and codes, including built-in scripting languages such as Perl, Python, and C++.
For example, an attacker may create a script that contains a list of target computers and copy and execute malware to the peer computer along with a PSExec account with execution permissions. Another possible attack method is to use Group Policy Objects (GPO) to use login and logout scripts or to abuse the Windows Management Interface (WMI) to distribute ransomware on a large scale within the network.
A similar method uses malware to inject malicious code into a trusted running process (such as SVCHOST.EXE) or uses the Windows RUNDLL32.EXE application. Network security company Sophos reports that this makes it possible to encrypt documents from trusted processes. This strategy can circumvent certain anti-ransomware programs that do not monitor or are configured as default Windows applications to ignore encryption activities.
Network security company Malwarebytes Labs pointed out that ransomware may also run from NTFS Alternate Data Stream (ADS) to hide victim users and endpoint protection software. Usually, the entire attack occurs within a few hours or at night when employees are less concerned about the IT system. Once the malware encrypts the file, the recipient will receive a lock screen and a blackmail letter.
These attacks often seem to pop up suddenly, because the actual file encryption is performed in a trusted Powershell.exe component. Therefore, according to Sophos, endpoint protection software may not be able to detect the process because it appears to be legitimate.
One of the most widely known LotL attacks occurred in 2017, when the so-called Petya malware emerged. It initially infected a software accounting program in Ukraine and then spread between companies. Recently, the SolarWinds attack (aka SUNBURST) used LotL and other methods to plant malware in a software patch from a security company.
Risk reduction is essential
There is no easy way to avoid the risk of LotL attacks. Due to the concealment of malware, it is also difficult to determine who initiated the attack.
Generally, the best defense is to ensure that unneeded components are shut down or removed from the system. Other strategies include setting application whitelists where possible, using behavioral analysis software, regularly patching and updating components, using multi-factor authentication, and continuing to educate users about the risks associated with clicking email links and opening attachments.
Samuel Greengard writes articles on business, technology, and network security for numerous magazines and websites. He is the author of the books “Internet of Things” and “Virtual Reality” (Massachusetts Institute of Technology Press).View the complete bio