Cyber attacks are not the exclusive realm of sophisticated attackers. These attacks get democratized very quickly 

To illustrate this point, we’ll review a potentially unwanted program (PuP) that uses a clever living-off-the-land attack chain to avoid getting blocked. 

Living-Off-the-What-Now? 

A living-off-the-land (LoL) attack uses the resources that are already present on a computer to perform malicious actions. Rather than loading additional software on the victim deviceLoL attacks craftily repurpose resources to launch an attack 

For example, instead of loading a stager executable file that downloads the main malware component, a LoL attack may pass a script to the Powershell program. Powershell already exists on the system for normal system administration. That’s how this style of attacks got the name “living-off-the-land”; attackers forage on what the land’ (the victim’s machine) can offer (programs already present on a machine) instead of bringing their own food (loading new attack tools/binaries). 

This attack methodology is a staple of most advanced attacks because it is a convenient way to bypass defenses.  

The programs present on the computer that can be abused (commonly known as LoLbins) are often programs that are known to be legitimate. For example, many of the more dangerous LoLbins are component of the operating system used for system administration. As a result, the abusable programs will not be flagged by anti-virus software nor will they be blocked by application allowlisting solutions. Companies require additional layers of defense (such as the monitoring service provided by CYDEF) to detect, and ultimately stop, these threats. 

LoL Chain 

During the course of our daily monitoring, our analysts detected the presence of the DriverPackNotifier 

This is a run-off-the-mill “driver optimizer”-type potentially unwanted program (PuP)The business model used by this kind of PuPs is to present users with scary alarms telling them their computer needs a series of updates in order to run smoothly. Ultimately, the goal is to entice users into paying money to have fake problems fixed.  

In the grand scheme of things, this is pretty benign as far as “attacks” go. However, the software is flagged by a large portion of cyber security vendors: 

https://www.virustotal.com/gui/file/
0659388dba26d26eada6d82ed38f22fb2b0a264d1cc4667cce7f4523c72d59be/detection

Customizing LoL Attacks 

As a result, attackers really need to roll up their sleeves to customize their tactics and avoid detection. 

 We detected the following sequence during our regular course of monitoring. The process IDs have been colored to make it easier to follow. 

Process Creation  

Child 

PID:14080  

Image:mshta.exe  

Path:C:\Windows\SysWOW64  

CommandLine:“C:\WINDOWS\System32\mshta.exe” “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\bin\Tools\run.hta” “–relaunch” “true” “–run” “startup”  

Company:Microsoft Corporation  

Product:Internet Explorer  

Description:Microsoft (R) HTML Application host  

Parent 

PID:13996  

Image:DriverPackNotifier.exe  

Path:C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier  

Command:“C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\DriverPackNotifier.exe” –relaunch true –run startup  

The first step is the use the HTML application from Windows.  

This is essentially a way to create full-fledged apps built out of dynamic HTML and whatever web-based scripting languages that can be run by Internet Explorer.  

This can be useful to create HTML help interfaces, or, apparently, to run code that would be blocked by AV. 

Process Creation 

Child

PID:14888

Image:cmd.exe 

Path:C:\Windows\SysWOW64 

CommandLine:“C:\Windows\System32\cmd.exe” /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” > “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stdout.log” 2> “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stderr.log” 

Company:Microsoft Corporation 

Product:Microsoft® Windows® Operating System 

Description:Windows Command Processor 

Version:10.0.18362.449 (WinBuild.160101.0800) 

Parent

PID:14080

Image:mshta.exe 

Path:C:\Windows\SysWOW64 

Command:“C:\WINDOWS\System32\mshta.exe” “C:\Users\ [REDACTED]\AppData\Roaming\DriverPack Notifier\bin\Tools\run.hta” “–relaunch” “true” “–run” “startup” 

 

 

Process Creation 

Child

PID:8420

Image:powershell.exe 

Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0 

CommandLine:powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” 

Company:Microsoft Corporation 

Product:Microsoft® Windows® Operating System 

Description:Windows PowerShell 

Version:10.0.18362.1 (WinBuild.160101.0800) 

Parent

PID:14888

Image:cmd.exe 

Path:C:\Windows\SysWOW64 

Command:“C:\Windows\System32\cmd.exe” /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” > “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stdout.log” 2> “C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.stderr.log” 

The second step is to launch cmd from the mshta program to call a Powershell execution.  

Notably, the list of commands to executes is not in the form of a .PS1 script, as we would expect from a regular user  

Instead, the list comes from a .txt file passed to the invoke-expression method.  

Process Creation  

Child

PID:12256

Image:csc.exe 

Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319 

CommandLine:“C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Users\[REDACTED]\AppData\Local\Temp\ltgfk0hg.cmdline” 

Company:Microsoft Corporation 

Product:Microsoft® .NET Framework 

Description:Visual C# Command Line Compiler 

Version:4.8.3752.0 built by: NET48REL1 

Parent

PID:8420

Image:powershell.exe 

Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0 

Command:powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass “Get-Content ‘C:\Users\[REDACTED]\AppData\Roaming\DriverPack Notifier\temp\ps.kl651x9e.mp0tj.cmd.txt’ -Wait | Invoke-Expression” 

 

File Creation 

PID:12256

Image:csc.exe 

Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319 

Target File

Extension:dll 

Name:ltgfk0hg.dll 

Path:C:\Users\[REDACTED]\AppData\Local\Temp 

Then, the Powershell code calls the .NET command line compiler to create a new malicious component in the form of a DLL.  

Living-Off-the-Land Attacks Hiding in Plain Sight 

Remember: these cyber attackers customized this attack for the sake of shilling fake Windows maintenance 

Attackers invested time and effort to leverage MITRE ATT&CK techniques T1218.005 (Signed Binary Proxy Execution: Mshta), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.001 (Command and Scripting Interpreter: PowerShell) and T1027.004 (Obfuscated Files or Information: Compile After Delivery) to sell “driver optimizer”.  

Just imagine what attackers would be willing to do to steal something of real value 

If you are worried that your current suite of cyber security solutions would not catch this kind of attack, please contact us.  

The team at CYDEF can help catch malicious activity missed by traditional security tools.