Living Off the Land and Vulnerable Drivers

If you have been reading the news about malware lately, you would have seen terms like LOTL and BYOVD thrown around, but what are they, and can you stop these types of techniques?  

What are Living Off the Land Attacks (LOTL)?  

Living Off the Land, or LOTL, is a technique that malware can use to hide from Antivirus (AV) and other security solutions. LOTL uses applications and executables that are found natively in the operating system. A good example would be screenshotting software. This software comes built-in to every Windows machine.  

What Is Bring Your Own Vulnerable Driver (BYOVD)?  

Bring your own vulnerable drivers, or BYOVD is another technique that malware uses to bypass security features. If you ever had to use an old program, you might have to install an old version of something like an old library that the program uses. The same technique can be used with malware; why would an attacker try to find a way to gain access to an up-to-date system when they know they can install vulnerable software/driver / DLLs that give you access to the system?  

How Both Can Be Used  

So how can malware developers use both techniques to access an up-to-date system? First, an attacker needs to install their malware on the system; this can be done with a phishing attack or by putting the malware on USB sticks and just dropping it around the target. Once the malware is installed, it would have limited permission to do anything. That is where BYOVD comes into play. The malware can install a vulnerable driver that allows the malware to get additional permissions. Now, the malware has permission to do anything on the machine. Since the malware has permission to do anything, it can use the LOTL technique to take screenshots and upload them to the internet. This can be done using built-in programs like the Windows screenshot program and then uploading the screenshots to an attacker's Google Drive through the native web browser.  

How Can People Stop These Types of Cyber Attacks?  

The best way to stop these attacks is not to install unknown programs from unknown sources. However, users rarely do their due diligence when it comes to the programs running on their devices. Here are some other ways to prevent LOTL and BYOVD attacks.

How Can ThreatLocker® Stop This?  

ThreatLocker® can stop this in a few ways. By default, ThreatLocker blocks unknown software. This blocks any programs that have not been allowed by the company or IT staff. Another way to stop this type of attack is ThreatLocker Ringfencing™. Ringfencing™ is for programs that are already authorized, but restrictions can be placed on programs. For instance, the organizations know that the program has no need to call out to the Internet. Then, the company will have a Ringfencing™ policy to stop the program if it ever tries to interact with the internet. One good example would be PowerShell; it should never have access to the internet to download software on a user's machine. Hence, there would be a Ringfencing™ policy for PowerShell that would stop PowerShell from ever calling out to the internet or any additional processes.  

‍