This New Fileless Malware Hides Shellcode in Windows Event Logs


A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild.

“It allows the ‘fileless’ last stage trojan to be hidden from plain sight in the file system,” Kaspersky researcher Denis Legezo said in a technical write-up published this week.

The stealthy infection process, not attributed to a known actor, is believed to have commenced in September 2021 when the intended targets were lured into downloading compressed .RAR files containing Cobalt Strike and Silent Break.

The adversary simulation software modules are then used as a launchpad to inject code into Windows system processes or trusted applications.

Also notable is the use of anti-detection wrappers as part of the toolset, suggesting an attempt on the part of the operators to fly under the radar.

Windows Event Log Malware ShellCode

One of the key methods is to keep encrypted shellcode containing the next-stage malware as 8KB pieces in event logs, a never-before-seen technique in real-world attacks, that’s then combined and executed.

Windows Event Log Malware ShellCode

The final payload is a set of trojans that employ two different communication mechanisms — HTTP with RC4 encryption and unencrypted with named pipes — which allow it to run arbitrary commands, download files from a URL, escalate privileges, and take screenshots.

Another indicator of the threat actor’s evasion tactics is the use of information gleaned from initial reconnaissance to develop succeeding stages of the attack chain, including the use of a remote server that mimics legitimate software used by the victim.

“The actor behind this campaign is quite capable,” Legezo said. “The code is quite unique, with no similarities to known malware.”

The disclosure comes as Sysdig researchers demonstrated a way to compromise read-only containers with fileless malware that’s executed in-memory by leveraging a critical flaw in Redis servers.

Products You May Like

Articles You May Like

Cyber-Attacks on Ukraine Surge 123%, But Success Rates Plummet
How to Interpret the 2023 MITRE ATT&CK Evaluation Results
ESET’s cutting-edge threat research at LABScon – Week in security with Tony Anscombe
Essential Guide to Cybersecurity Compliance
Over 700 Dark Web Ads Offer DDoS Attacks Via IoT in 2023

Leave a Reply

Your email address will not be published. Required fields are marked *