A new take on “fileless” malware: malicious code in event logs
In a recent investigation, Kaspersky experts uncovered a distinctive targeted malware campaign. The activity stands out because of its innovative use of Windows event logs for malware storing, the attackers’ impressive variety of techniques, such as commercial pentesting suites and anti-detection wrappers – including those compiled with Go. Several last stage Trojans are in use during the campaign.
Kaspersky experts have detected a targeted malware campaign that uses a unique technique, hiding “fileless” malware inside Windows event logs. The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.
The attackers employed two types of Trojans for the last stage. These were used to gain further access to the system, commands from control servers are delivered in two ways: over HTTP network communications and engaging the named pipes. Some Trojans versions managed to use a command system containing dozens of commands from C2.
The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes onto the system.
“We witnessed a new targeted malware technique that grabbed our attention. For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it's worth to add event logs technique to MITRE matrix's “defense evasion” section into its “hide artifacts” part,” says Denis Legezo, lead security researcher at Kaspersky. – "The usage of several commercial pentesting suites is also not the thing you saw every day".
To learn more about the event logs technique, visit Securelist.com
To protect yourself from fileless malware and similar threats, Kaspersky recommends:
o Using a reliable endpoint security solution. A dedicated component in Kaspersky Endpoint Security for Business can detect anomalies in files' behavior and reveal any fileless malware activity.
o Installing anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities. Additionally, provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of this is available within the Kaspersky Expert Security framework.
o Integrating proper endpoint protection and dedicated services that can help protect against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before attackers can achieve their goals.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.