BleepingComputer reports that Microsoft Office executables have been discovered to be living-off-the-land binaries and scripts, which could be leveraged to facilitate malware downloads from a remote server.
While only the MsoHtmEd.exe, ProtocolHandler, exe, and MSPub.exe were initially discovered to function as third-party file downloads, eight more downloaders have been identified through a new script that was developed to enable automated verification, according to a Pentera report.
The MSPub executable's arbitrary payload downloading capabilities have already been confirmed, said Pentera researcher Nir Chako.
Meanwhile, the widely used PyCharm suite for Python development has been identified to have LOLBAS executables including elevator.exe, which enables arbitrary file execution with elevated privileges, and WinProcessListHelper.exe, which performs system process enumeration for reconnaissance. On the other hand, user and security identifiers could be exposed through the exploitation of the Git installation folder's mkpasswrd.exe executable.
Other platforms could also be examined for LOLBAS files using the tool, said Chako.