Attackers Use Event Logs to Hide Fileless Malware

A sophisticated campaign utilizes a novel anti-detection method.

Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines.

The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wednesday.

Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month.

Infosec Insiders Newsletter

“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” wrote Denis Legezo, senior security researcher with Kaspersky’s Global Research and Analysis Team.

The attackers behind the campaign use a series of injection tools and anti-detection technique to deliver the malware payload. “With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable,” Legezo wrote.

Fileless Malware Hides in Plain Sight (Event Logs)

The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines.

Cobalt Strike and SilentBreak utilizing separate anti-detection AES decryptors, compiled with Visual Studio.

The digital certificate for the Cobalt Strike module varies. According to Kaspersky, “15 different stagers from wrappers to last stagers were signed.”

Next, attackers are then able to leverage Cobalt Strike and SilentBreak to “inject code into any process” and can inject additional modules into Windows system processes or trusted applications such as DLP.

“This layer of infection chain decrypts, maps into memory and launches the code,” they said.

The ability to inject malware into system’s memory classifies it as fileless. As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new.

What is new is new, however, is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks and saved in the binary part of event logs.”

Legezo said, “The dropper not only puts the launcher on disk for side-loading, but also writes information messages with shellcode into existing Windows KMS event log.”

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs,” he continues. “The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Next, a launcher is dropped into the Windows Tasks directory. “At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it,” the researcher wrote.

“Such attention to the event logs in the campaign isn’t limited to storing shellcodes,” the researchers added. “Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Unidentified Adversary Delivers Payload of Pain

Using this stealthy approach, the attackers can deliver either of their two remote access trojans (RATs), each one a combination of complex, custom code and elements of publicly available software.

In all, with their “ability to inject code into any process using Trojans, the attackers are free to use this feature widely to inject the next modules into Windows system processes or trusted applications.”

Attribution in cyberspace is tricky. The best that analysts can do is dig deep into attackers’ tactics, techniques and procedures (TTPs), and the code they write. If those TTPs or that code overlaps with past campaigns from known actors, it might be the basis for incriminating a suspect.

In this case, the researchers found attribution difficult.

That’s because, beyond the unprecedented technique of injecting shellcode into Windows event logs, there’s one other unique component to this campaign: the code itself. While the droppers are commercially available products, the anti-detection wrappers and RATs they come paired with are custom made (though, the researchers hedged, “some modules which we consider custom, such as wrappers and last stagers, could possibly be parts of commercial products”).

According to the report, “the code is quite unique, with no similarities to known malware.” For that reason, the researchers have yet to determine the identity of the attackers.

“If new modules appear and allow us to connect the activity to some actor we will update the name accordingly.”

Suggested articles