Since LOLBAS gaining traction at a rapid pace in cyber attacks, so, experts are also actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware.
Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even the researchers opted for the automation approach and found 12 new files in 4 weeks, a 30% rise in known downloaders and executors.
LOLBAS: An Evergreen Type of Cyber Attack
While it is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes.
Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts. And here below we have mentioned those two parts:-
-
The path of the potential downloader
-
A URL to download the file from
Downloader file (Source – Pentera)
While the second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts.
Running HTTP server (Source – Pentera)
Experts’ automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.
Here’s how the manual approach looks:-
Manual approach (Source – Pentera)
Besides this, this complete process could be automated via two tools and here they are:-
-
IDApython: It finds API call cross-references and decompiles.
-
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like:-
-
Automating reverse engineering for deeper code insights
-
Revealing structure
-
Behavior
-
Potential issues
