Cyber attacks are not the exclusive realm of sophisticated attackers. These attacks get democratized very quickly.
To illustrate this point, we’ll review a potentially unwanted program (PuP) that uses a clever living-off-the-land attack chain to avoid getting blocked.
Living-Off-the-What-Now?
A living-off-the-land (LoL) attack uses the resources that are already present on a computer to perform malicious actions. Rather than loading additional software on the victim device, LoL attacks craftily repurpose resources to launch an attack.
For example, instead of loading a stager executable file that downloads the main malware component, a LoL attack may pass a script to the Powershell program. Powershell already exists on the system for normal system administration. That’s how this style of attacks got the name “living-off-the-land”; attackers ‘forage’ on what the ‘land’ (the victim’s machine) can offer (programs already present on a machine) instead of bringing their ‘own food’ (loading new attack tools/binaries).
This attack methodology is a staple of most advanced attacks because it is a convenient way to bypass defenses.
The programs present on the computer that can be abused (commonly known as LoLbins) are often programs that are known to be legitimate. For example, many of the more dangerous LoLbins are a component of the operating system used for system administration. As a result, the abusable programs will not be flagged by anti-virus software nor will they be blocked by application allowlisting solutions. Companies require additional layers of defense (such as the monitoring service provided by CYDEF) to detect, and ultimately stop, these threats.
LoL Chain
During the course of our daily monitoring, our analysts detected the presence of the DriverPackNotifier.
This is a run-off-the-mill “driver optimizer”-type potentially unwanted program (PuP). The business model used by this kind of PuPs is to present users with scary alarms telling them their computer needs a series of updates in order to run smoothly. Ultimately, the goal is to entice users into paying money to have fake problems fixed.
In the grand scheme of things, this is pretty benign as far as “attacks” go. However, the software is flagged by a large portion of cybersecurity vendors:
https://www.virustotal.com/gui/file/
0659388dba26d26eada6d82ed38f22fb2b0a264d1cc4667cce7f4523c72d59be/detection
Customizing LoL Attacks
As a result, attackers really need to roll up their sleeves to customize their tactics and avoid detection.
We detected the following sequence during our regular course of monitoring. The process IDs have been colored to make it easier to follow.
Process Creation
Child
PID:14080
Image:mshta.exe
Path:C:\Windows\SysWOW64
CommandLine:“C:\WINDOWS\System32\mshta.exe” “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\bin\Tools\run.hta” “–relaunch” “true” “–run” “startup”
Company:Microsoft Corporation
Product:Internet Explorer
Description:Microsoft (R) HTML Application host
Parent
PID:13996
Image:DriverPackNotifier.exe
Path:C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier
Command:“C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\DriverPackNotifier.exe” –relaunch true –run startup
The first step is the use the HTML application from Windows.
This is essentially a way to create full-fledged apps built out of dynamic HTML and whatever web-based scripting languages that can be run by Internet Explorer.
This can be useful to create HTML help interfaces, or, apparently, to run code that would be blocked by AV.
Process Creation
Child
PID:14888
Image:cmd.exe
Path:C:\Windows\SysWOW64
CommandLine:“C:\Windows\System32\cmd.exe” /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” > “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stdout.log” 2> “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stderr.log”
Company:Microsoft Corporation
Product:Microsoft® Windows® Operating System
Description:Windows Command Processor
Version:10.0.18362.449 (WinBuild.160101.0800)
Parent
PID:14080
Image:mshta.exe
Path:C:\Windows\SysWOW64
Command:“C:\WINDOWS\System32\mshta.exe” “C:\Users\ [REDACTED]\AppData\Roaming\DriverPack Notifier\bin\Tools\run.hta” “–relaunch” “true” “–run” “startup”
Process Creation
Child
PID:8420
Image:powershell.exe
Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0
CommandLine:powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression”
Company:Microsoft Corporation
Product:Microsoft® Windows® Operating System
Description:Windows PowerShell
Version:10.0.18362.1 (WinBuild.160101.0800)
Parent
PID:14888
Image:cmd.exe
Path:C:\Windows\SysWOW64
Command:“C:\Windows\System32\cmd.exe” /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” > “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stdout.log” 2> “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stderr.log”
The second step is to launch cmd from the mshta program to call a Powershell execution.
Notably, the list of commands to executes is not in the form of a .PS1 script, as we would expect from a regular user.
Instead, the list comes from a .txt file passed to the invoke-expression method.
Process Creation
Child
PID:12256
Image:csc.exe
Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319
CommandLine:“C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Users\[REDACTED]\AppData\Local\Temp\ltgfk0hg.cmdline”
Company:Microsoft Corporation
Product:Microsoft® .NET Framework
Description:Visual C# Command Line Compiler
Version:4.8.3752.0 built by: NET48REL1
Parent
PID:8420
Image:powershell.exe
Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0
Command:powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression”
File Creation
PID:12256
Image:csc.exe
Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319
Target File
Extension:dll
Name:ltgfk0hg.dll
Path:C:\Users\[REDACTED]\AppData\Local\Temp
Then, the Powershell code calls the .NET command line compiler to create a new malicious component in the form of a DLL.
Living-Off-the-Land Attacks Hiding in Plain Sight
Remember: these cyber attackers customized this attack for the sake of shilling fake Windows maintenance.
Attackers invested time and effort to leverage MITRE ATT&CK techniques T1218.005 (Signed Binary Proxy Execution: Mshta), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.001 (Command and Scripting Interpreter: PowerShell) and T1027.004 (Obfuscated Files or Information: Compile After Delivery) to sell a “driver optimizer”.
Just imagine what attackers would be willing to do to steal something of real value.
If you are worried that your current suite of cybersecurity solutions would not catch this kind of attack, please contact us.
The team at CYDEF can help catch malicious activity missed by traditional security tools.
