A new take on “fileless” malware: Threat actors hide malicious code in event logs
Woburn, MA – May 4, 2022 – Kaspersky researchers have uncovered a distinctive targeted malware campaign that used Windows event logs for malware storing. The activity also displayed an impressive variety of techniques, including commercial pentesting suites and anti-detection wrappers, which included those compiled with Go, as well as several last stage Trojans.
The targeted malware campaign used a unique technique, hiding “fileless” malware inside Windows event logs. The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.
The attackers employed two types of Trojans for the last stage, gaining further access to the system. Commands from control servers were delivered in two ways: over HTTP network communications and engaging the named pipes. Some versions managed to use a command system containing dozens of commands from C2.
The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes into the system.
“We witnessed a new targeted malware technique that grabbed our attention,” says Denis Legezo, lead security researcher at Kaspersky. “For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it's worth adding the event logs technique to MITRE matrix's ‘defense evasion’ and ‘hide artifacts’ section. The usage of several commercial pentesting suites is also not the kind of thing you see every day."
To learn more about the event logs technique, visit Securelist.com.
To protect yourself from fileless malware and similar threats, Kaspersky recommends:
· Using a reliable endpoint security solution. A dedicated component in Kaspersky Endpoint Security for Business can detect anomalies in files' behavior and reveal any fileless malware activity.
· Installing anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities. Additionally, provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of this is available within the Kaspersky Expert Security framework.
· Integrating proper endpoint protection and dedicated services that can help protect against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before attackers can achieve their goals.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn