| Threat actors are increasingly leveraging native, legitimate tools on targeted systems or networks—a technique known as Living off the Land (LOTL) attacks—to gain access, steal credentials, maintain persistence, obfuscate malicious activity, evade detection by legacy security tools, exfiltrate data, and more. These attacks are popular with threat actors because the tools are readily available and built into computers by default. The attacks are difficult to detect by security tools using signature-based methods, legacy security tools, allowlisting, sandboxing, and machine-based analysis. Therefore, it is challenging to distinguish between normal and malicious activity. Additionally, most environments cannot disable, uninstall, or block legitimate tools because they are not viewed or flagged as malicious. |
| According to CrowdStrike’s 2022 Global Threat Report, 62 percent of threat actors use fileless malware techniques in LOTL attacks, such as exploit kits, hijacked native tools, registry resident malware, memory-only malware, fileless ransomware, and stolen credentials. Threat actors utilize exploit kits to automate initial compromises and take advantage of vulnerabilities in operating systems or installed applications. They also hijack native, legitimate tools to escalate privileges, access other systems or networks, steal or encrypt data, install malware, set up backdoors, and more. Resident registry malware writes malicious code directly into the Windows registry, can be programmed to launch when the operating system starts, and remains persistent and undetected for long periods. Memory-only malware resides only in memory, remains hidden, and can serve as a backdoor to conduct reconnaissance, move laterally, and exfiltrate data. Threat actors utilize fileless ransomware first to embed malicious code in documents and hijack legitimate tools to encrypt files. Common tools used by ransomware groups include PowerShell, PsExec, Windows Management Instrumentation (WMI), Mimikatz, and Cobalt Strike. Threat actors also steal legitimate users’ account credentials to target other users in business email compromise (BEC) scams with the intent to harvest account credentials or other sensitive information, conduct reconnaissance of additional systems, hijack legitimate tools, and establish persistence. |
 |
| Image Source: Recorded Future |
| Threat actors recently used legitimate tools in LOTL attacks. Advanced persistent threat (APT) groups abused trusted legitimate internet services (LIS), such as Microsoft’s OneDrive and Google Cloud, to obfuscate malicious activity and adversary infrastructure and improve operations and data theft efficiency. Additionally, threat actors exploited a vulnerability in Microsoft Teams to bypass client-side security controls and deliver malware. Once they compromised two Microsoft 365 accounts, they sent HR-themed phishing emails claiming there had been changes to the vacation schedule. The emails contained a malicious attachment that, if downloaded from the SharePoint website and opened, launched a script to install DarkGate malware. In another attack, threat actors used Google Looker Studio to initiate an email from Google that contained a link to a fake cryptocurrency investment strategies report. To access it, the target was directed to a login page that harvests account credentials. Finally, threat actors abused the Windows Advanced Installer tool to package other legitimate software installers with malicious scripts to execute cryptocurrency-mining malware on infected systems. Although they targeted graphic designers with GPU miners primarily in France and Switzerland, there were a few reported infections in the US. |