Threat actors found their new favorite channel, LOLBins, to hide malicious activities from security providers and solutions.
The Living Off the Land Binaries, or LOLBins, can be dangerous and challenging for security detections since they are tools that are trusted by security solutions. Since they are charged, they tend to bypass AV solutions and security platforms.
According to researchers, Windows has many LOLBins utilities that threat actors exploit. For instance, the utilities Rundll[.]exe and Regsvr32[.]ex have observed an increase in exploitation levels, both being utilised by threat actors to spread the IceID and Qbot trojan last year.
Moreover, there has been an increase in Microsoft Equation Editor flaw usage in the EQNEDT32[.]exe Windows utility allowed the threat actors to distribute Agent Tesla and Loki malware samples.
Researchers also noticed an uptick in the abuse of Mshta[.]exe Windows utility enabled the malicious threat actors to increase their TrickBot trojan’s infection.
Aside from exploiting Windows system utilities, the threat actors also eyed multiple Linux and macOS utilities to launch several malware types such as Mirai botnet, cryptocurrency miners, and Shlayer malware.
MuddyWater became the pioneer group to use LOLBins in their cyberattack operation.
The Iranian-sponsored hacking group called MuddyWater managed to conduct a cyberattack campaign against an organisation in Turkey by exploiting the LOLBins and hijacking their target’s system. After infiltrating the system, the threat actors pilfered intellectual properties before launching ransomware to disrupt the target’s operations.
A new Lazarus group attack campaign called LolZarus included LOLBins in their attack chain method to target applicants looking for jobs at Lockheed Martin.
LOLBins are becoming a unique approach for threat actors to bypass specific security restrictions. Threat actors used these strategies in post-compromise activities, where cybercriminals leverage legitimate admin tools such as CMP, PowerShell, and WMI to perform retrieval attacks and lateral movements.
Over the last few years, Living-off-the Land Binaries have become famous among malware developers as part of their initial payloads. As the abuse of LOLBins spikes, all organisations should act immediately to prevent their networks from getting infected and be safe from elusive malware threats.
