Cyberattackers are successfully evading detection on Windows computers by abusing legitimate admin tools commonly found on the operating system.
This is a pivotal finding of the SophosLabs 2019 Threat Report, which traces how the technique has risen from the fringes of the cybercriminal playbook to become a common feature in a growing number of cyber attacks.
Known in security parlance as ‘living off the Land’ or ‘LoL’ because it avoids the need to download dedicated tools, a favourite target is PowerShell, a powerful command line shell that ships by default on all recent Windows computers even though few users have heard of it.
Alternatives include Windows Scripting Host (WScript.exe), the Windows Management Instrumentation Command line (WMIC), as well as popular external tools such as PsExec and WinSCP.
It’s a simple strategy that makes detection a puzzle. Removing the tools is an option but comes with disadvantages few admins would be happy with, notes the report:
PowerShell is also an integral component of tools that help administrators manage networks of almost any size, and as a result, must be present and must be enabled in order for those admins to be able to do things like, for example, push group policy changes.
Attackers, of course, know this and often feel brazen enough to chain together a sequence of scripting and command interfaces, each running in a different Windows process.
According to SophosLabs, attacks might start with a malicious JavaScript attachment, in turn invoking wscript.exe, before finally downloading a custom PowerShell script. Defenders face a challenge:
With a wide range of file types that include several “plain text” scripts, chained in no particular order and without any predictability, the challenge becomes how to separate the normal operations of a computer from the anomalous behaviour of a machine in the throes of a malware infection.
Macro attacks 2.0
Meanwhile, attackers show no signs of giving up on new variations on Microsoft Office macro attacks, another route to launch exploits without the need for conventional executables.
In recent years, protections such as disabling macros inside documents or using preview mode have blunted this technique.
Unfortunately, attackers have developed techniques to persuade people to disable these using macro builder tools that package Office, Flash, and other exploits within a document that throws up sophisticated social engineering prompts.
Compounding this, cybercriminals have refreshed their older stock of software flaws in favour of more dangerous and recent equivalents – SophosLabs’ analysis of malicious documents found that only 3% of exploits inside builders dated back to before 2017.
With well-used filetypes now blocked or monitored by endpoint security, the trend is to use more exotic filetypes to launch attacks, especially apparently innocuous ones that can be called from a Windows shell such as .cmd (Command File) .cpl (Control Panel), .HTA (Windows Script Host), .LNK (Windows Shortcut), and .PIF (Program Information File).
Moving sideways
The EternalBlue exploit (CVE–2017-0144) has surprisingly become a popular staple for malware writers, despite Microsoft issuing a patch in advance of its first use by WannaCry in May 2017.
Cryptominers have been enthusiastic users of EternalBlue, using it to move laterally through networks to infect as many machines as possible.
Attackers combining these innovations – Windows LoL tools, macro attacks, novel exploits and cryptomining – represents a challenge because they often confound the assumptions of defenders.
Their uptake of these more complex and esoteric approaches has been driven, ironically, by the success of the cybersecurity industry at curbing traditional malware. Concludes Sophos CTO, Joe Levy:
We expect we’ll eventually be left with fewer, but smarter and stronger, adversaries.
Read more in the SophosLabs 2019 Threat Report.