Living off the Land–type attacks, which use legitimate programs or operating system features to cause harm, are nothing new, but with experts keeping track of LotL-susceptible modern software, cybercriminals have had to innovate. Researchers Jean-Ian Boutin and Zuzana Hromcova spoke about one such innovation, the use of legitimate Windows XP components and programs, at RSA Conference 2021.
Living off the Land and vulnerable Windows XP components
Studying the activity of the InvisiMole group, Boutin and Hromcova noted that InvisiMole tools’ use of files for the long-obsolete operating system helps them stay under the radar. The researchers gave those files the general name VULNBins, similar to the name LOLBins, which the security community applies to files used in Living off the Land attacks.
Of course, downloading an outdated file to the victim’s computer requires access to the computer. But VULNBins are generally used to establish persistence in a targeted system without being noticed, not for actual penetration.
Specific examples of using outdated programs and system components
If an attacker fails to gain administrator rights, one tactic they may use to establish persistence involves the use of an old video player with a known buffer overflow vulnerability. Through the Task Scheduler, the cybercriminals create a regularly scheduled task that calls the player, whose configuration file has been modified to exploit the vulnerability, to load the code required for the next stage of the attack.
If, however, InvisiMole attackers manage to obtain administrator rights, they can deploy another method that uses legitimate system component setupSNK.exe, Windows XP library wdigest.dll, and Rundll32.exe (also from the outdated system), necessary to execute the library. Then they manipulate the data that the library loads into memory. The library was created before the application of ASLR technology, so the cybercriminals know the exact address in memory where it will be loaded.
They store most of the malicious payload in the registry in encrypted form, and all of the libraries and executables they use are legitimate. As such, all that betrays the presence of an enemy within is the file with the player settings and the small exploit that addresses the outdated libraries. As a rule, that’s not enough to raise a security system’s suspicion.
How to stay safe
To prevent cybercriminals from using old files and outdated system components (especially ones signed by a legitimate publisher), having a database of such files would be a good start. It would enable existing defenses to block or at least track them (if for some reason blocking is not possible). But that is looking ahead.
Until such a list exists, use our EDR-class solution to:
- Detect and block the execution of Windows components located outside the system folder,
- Identify unsigned system files (some system files are signed with a catalog file instead of a unique digital signature, but a system file moved to a system that lacks the required .cat file is considered unsigned),
- Create a rule to detect the difference between the OS version and the version of each executable file,
- Create a similar rule for other applications — for example, to block the execution of files compiled more than 10 years ago.
As we mentioned, to download something to a victim’s computer, attackers first need to gain access. To prevent any VULNBins from reaching your workstations, install security solutions on all Internet-enabled devices, raise employee awareness about modern cyberthreats, and closely monitor remote access tools.