Living off the Land Binaries with Virtual Machines

• Main Author: Lingaas Türk, Jakob
• Format: Others
• Language: English
• Published: Högskolan i Halmstad 2021
• Subjects: LOLbin; Living off the land; virtual machine escape; fileless malware; Computer Sciences; Datavetenskap (datalogi)
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-44842

As the threat of ransomware increases, the ever-growing demand for more efficient cybersecurityimplementations invite cybercriminals to find new methods of bypassing these counter measures.One method for bypassing potential antivirus software is to use the binaries already present on thevictim device, causing them damage by using trusted binaries which does not trigger windowsdefender (or similar antivirus measures).This thesis attempts to use virtual machines as a living of the land binary. By utilizing the virtualenvironment of Windows iso images within a hypervisor, the attacker can download and execute abinary without being stopped by the bare metal host’s IDS or IPS. As the attacker controls the virtualenvironment, they can disable Windows Defender within the virtual machine and acquire theransomware without the upper layer of IDS or IPS even noticing, meaning they also remain stealthyfor a persistent engagement. The attacker would then proceed to use the share folder functionalityof the hypervisor and target a directory with sensitive files, before executive the binary within thevirtual machine. To the bare metal host, it would look like a hypervisor process is affecting the fileswithin the shared folder, which does not raise any alarms. However, what is actually happening is theransomware of the attacker’s choice has encrypted the files of the target directory (or mounteddrive, depending on method used), and can now continue to the next directory (or drive).The results of this work showed that virtual machines can be used for living off the land binariesattacks by utilizing either the shared folder functionality of a specific hypervisor, or by mounting adrive to a virtual machine. The experiments were proven to work within their own parameters,assuming certain requirements are fulfilled for the attack to be doable. Defenders can tweak IDS andIPS policies to limit or warn when a user access or changes partitions or limiting the accessibility forthe hypervisors native to the machine.