Is an attacker living off your land?

Malware – and all of its various forms, including ransomware – has grown increasingly stealthy and sophisticated in recent years. Also on the rise: Its ability to fly under cybersecurity software’s radar.

One of the primary reasons detecting and stamping out malware is so difficult is the rise of an attack method called living off the land (LotL). Despite conjuring up idyllic images of urban farming or sustainability, the term refers to a group of techniques that typically execute in shell code or scripts running in memory.

Attackers who “live off the land” make use of a system’s own tools and utilities to conduct malicious activity. With these attacks, which don’t use easily detectable malicious files, an attacker can lurk within a computer or network and avoid discovery by security tools.

Even if an attack is discovered, the binaries used are exceptionally difficult to eradicate. As a result, a LotL attack is particularly risky for victims.

Living Off the Land: A Brief History
The concept of using fileless malware, or malware that relies on legitimate programs to attack, first appeared around the start of the current century. Early examples of this approach include malware with names like Frodo, Code Red, and SQL Slammer Worm. However, these payloads were more of a nuisance than a real threat. Then, in 2012, a banking Trojan named Lurk appeared. Although it wasn’t terribly sophisticated, it demonstrated LotL’s potential.

In 2013, security researchers Christopher Campbell and Matt Greaber coined the LotL term to describe malware that hides within a system and exploits legitimate tools and utilities to cause damage. Over the past few years, the scope and sophistication of these attacks has grown. In fact, as security firms have become better at identifying and blacklisting malicious files, fileless attacks have moved into the mainstream.

How Does Living Off the Land Work?
In a LotL attack, adversaries take advantage of legitimate tools and utilities within a system. This might include PowerShell scripts, Visual Basic scripts, WMI, PSExec, and Mimikatz. The attack exploits the functionality of the system and hijacks it for nefarious purposes. It may include tactics like DLL hijacking, hiding payloads, process dumping, downloading files, bypassing UAC keylogging, code compiling, log evasion, code execution, and persistence.

To read the complete article, visit Dark Reading.