GEC NEWS WIRESymantec provides an in-depth look at how attackers are increasingly adopting ‘living off the land’ tactics – something Symantec touched on in its Internet Threat Security Report earlier this year.
The key findings include: The top four “living off the land” attack techniques are memory-only threats, fileless persistence, dual-use tools, and non-PE file attacks: Cyber criminals are adopting these tactics to spread threats like ransomware and financial Trojans, but nation-state targeted attack groups also make use of them. Recent attacks by the Calicum/Fin7 group against restaurants in the U.S. has shown how effective these tactics can be; The most common dual-use tool in 2017 was sc.exe, followed by remote access tools such as VNC: Dual-use tools are ubiquitous, which means an attacker can hide in plain sight. System and dual-use tools are frequently used to gather information about a freshly compromised system. These tools have also been used during lateral movement or to exfiltrate stolen data. This activity blends in with normal system administration work, making it difficult to detect; Embedding malicious scripts in the registry is the most common fileless persistence method, seen on around 5,000 computers per day: The most popular fileless load point mechanism is storing a malicious script in the Windows registry. Trojan.Poweliks, Trojan.Kotver and Trojan.Bedep make heavy use of this method. So far in 2017, Symantec has blocked around 4,000 Trojan.Kotver attacks per day on endpoints.
