Evolving Malware Attacks: Covert Attacks through LOLBAS

The evolving landscape of cyber threats introduces an emerging peril through the expansion of Living-off-the-Land Binaries and Scripts (LOLBAS). LOLBAS encompasses a collection of seemingly benign files that malicious actors exploit after compromising a system. It represents a technique whereby attackers misuse legitimate binaries and scripts already present on the compromised system. This article delves into the growing concern of LOLBAS, encompassing even well-established Microsoft Office executables.

Threat Analysis

Unlike the initial attack vectors seen in phishing or malware, LOLBAS serves as a post-compromise method, allowing attackers to operate covertly and perform activities such as lateral movement, privilege escalation, and data exfiltration. It is a facet of the broader realm of cyber-attack techniques deployed during the advanced stages of an attack. Notably, the growing concern is accentuated by the inclusion of crucial Microsoft Office application executables. Particularly noteworthy is the confirmed ability of Microsoft Publisher's primary executable to download payloads from remote servers, thus highlighting the potential for manipulation.

Targeting Core Microsoft Applications

Of notable concern is the impending inclusion of key executables from Microsoft's Outlook email client and Access database management system. These integral components are now on the radar of malicious actors due to their potential for misuse. 

Exploiting Trusted Executables

In the realm of exploiting trusted executables, a significant revelation has emerged: the confirmed capacity of Microsoft Publisher's primary executable to download payloads from remote servers. This discovery underscores the disconcerting fact that even reputable executables can be manipulated for unauthorized activities. Notably, security researcher Nir Chako of Pentera conducted an extensive investigation, manually identifying MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe as potential risk vectors. These files, typically employed for legitimate purposes, have now been found to be potential conduits for unintended malicious activities.

Building upon these findings, Chako's efforts have evolved to encompass automation. His newly developed script has streamlined the verification process, leading to the identification of six additional risky files. This development marks a 30% increase in the list of LOLBAS downloaders, highlighting the ever-growing complexity of the threat landscape.

Further examining the specifics of vulnerability, while MSPub.exe's role as a downloader of arbitrary payloads has been confirmed, files such as Outlook.exe and MSAccess.exe possess similar capabilities that warrant thorough investigation. These files are currently undergoing meticulous analysis due to unresolved technical uncertainties.

Recommendations

• Keep all software, including operating systems and applications, up to date with the latest security patches to minimize the potential for exploitation through LOLBAS.

• Automated analysis tools with capabilities such as antivirus software.

In conclusion, LOLBAS represents a paradigm shift in cyber threats, turning benign tools into potential weapons. Organizations must adapt to this changing landscape, empowering defenders with insights and strategies to mitigate these evolving challenges. Pentera's detailed paper offers a comprehensive guide for researchers, red-teamers, and defenders to navigate and respond effectively to the LOLBAS threat.