The chattr function in Linux is used to set/unset certain attributes of a file. In the third quarter of 2021, chattr and wget were seen to be the top abused Linux utilities.
BUNDLORE COPYLESS CODE
Adversaries may exploit EQNEDT32.exe to execute arbitrary code that’s the case, as mentioned, with the Agent Tesla and Loki malwares.
BUNDLORE COPYLESS WINDOWS
It provides an environment for accessing local or remote Windows system components.ĭridex malware leverages wmic to execute rundll32 in the Execution phase of its attack lifecycle, but adversaries may also abuse wmic.exe to achieve execution, discovery or lateral movement.ĮQNEDT32.exe is a legitimate binary associated with Microsoft Equation Editor. Wmic.exe is an executable which belongs to Windows Management Instrumentation (WMI).
BUNDLORE COPYLESS DOWNLOAD
Adversaries leverage regsvr32 to download suspicious scripts hosted on remote servers and execute it in memory.īoth the Dridex and TrickBot malware families have leveraged regsvr32.exe in their infection routines. Regsvr32 is a Windows built-in utility that can be used to register and unregister service DLLs. The infamous TrickBot malware, often used as a first-stage loader for ransomware and other payloads, has been leveraging mshta.exe for the past year. Adversaries leverage mshta.exe for proxy execution of malicious HTA files or JavaScript or VBScript. Mshta.exe is a Windows utility that executes Microsoft HTML Applications (HTA) files or JavaScript/VBScript files. It provides attackers access to various Windows features which can be abused for downloading payloads, disabling Microsoft Defender and firewalls, executing fileless malware and so on. PowerShell makes a perfect tool for adversaries to compromise a system. Powershell.exe Tactic: Execution and Command & Control
Unsurprisingly, Windows has a large number of utilities that threat actors target for abuse.
The following is a rundown of the most commonly abused LOLBins for Windows, Linux and macOS. These are but the tip of the proverbial cybercrime iceberg. Similarly, the Loki and Agent Tesla spyware samples have been seen exploiting a Microsoft Equation Editor (EE) vulnerability in the EQNEDT32.exe Windows utility at high volume, using decoy documents in the execution phase of the attack lifecycle. For instance, the utilities regsvr32.exe and rundll32.exe have seen spiking abuse levels, with both being used extensively by the Qbot and IcedID backdoor malwares over the course of the last year, as detailed in our latest Quarterly Threat Bulletin. It’s unsurprising, then, that the Uptycs Threat Research team has seen a significant increase in the LOLBins being used in various stages of the MITRE ATT&CK framework. Certain LOLBins utilities though are signed applications, which can in turn open untrusted, unsigned applications. For instance, Application Allow-Listing prevents Windows OS from running code unless it has a valid digital certificate. Using LOLBins is also an attractive approach for cybercriminals because they can use them to get around certain security restrictions. Since these tools are by their very nature trusted (and used for dozens of innocent daily activities), they tend to be invisible to many antivirus and other security platforms that fail to inspect scripts or monitor process behavior.įor instance, it’s tough for security tools to determine if activity like looking up local Domain Controllers using an admin tool is the work of cyberattackers performing recon, or just normal troubleshooting activity. LOLBins are legitimate utilities, libraries and other tools that are native to a given computing environment, which bad actors can hijack and bend to their own nefarious purposes.
It’s time for threat hunters and IT security staff to familiarize themselves with how these are used in the attack chains of some of the most common enterprise malware. Living-off-the-land binaries (LOLBins) are no joke: Cyberattackers have been increasingly making use of them to hide their malicious work from security solutions.
0 kommentar(er)
