Tuesday, November 26, 2024
HomeCyber Security NewsAttackers Inject Fileless Malware Directly into Windows Event Logs

Attackers Inject Fileless Malware Directly into Windows Event Logs

Published on

Cybersecurity analysts have discovered an unknown malware campaign combining two methods never before employed by the cybercriminals to infect victims’ machines with fileless malware.

Shellcode can be injected directly into Windows event log files using this technique. The Windows event logs can thus be used by adversaries to hide their malicious Trojans in the process of downloading them.

The researchers discovered this campaign in February, and it is believed that the unknown adversaries have been operating since then.

- Advertisement - SIEM as a Service

Malware payload is delivered by a series of injection tools and anti-detection techniques used by the attackers behind the campaign.

Infection Chain

In the course of investigating the campaign, experts found a number of techniques and modules that appear to be quite innovative, and sophisticated. In order to technically describe them, they are all divided into different classes.

Here below we have mentioned some sets of modules below:- 

  • Commercial pentesting suites.
  • Custom anti-detection wrappers.
  • Last stage Trojans.

Fileless Malware

At some point, the adversary drives the target’s computer to a legitimate website, in order to launch the first stage of the attack. 

Once the target is lured into downloading the .RAR file, it will be boobytrapped with Cobalt Strike and SilentBreak, they both are pentesting tools and popular among hackers.

Both Cobalt Strike and SilentBreak take advantage of different AES decryptors across both products and compile them using Visual Studio.

The second step consists of an attacker executing Cobalt Strike and SilentBreak in order to inject code into any process and further inject additional modules such as DLP into trusted applications such as Windows system processes.

The code has been broken up into 8KB blocks and stored in the binary part of the event logs in order to avoid detection. Here’s what the security expert at Securelist, DENIS LEGEZO stated:-

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Payload of Pain

The attacker can deliver either of their two remote access trojans (RATs) utilizing this stealthy method. Each one of them is a mixture of highly complicated custom-written code and components of existing public software.

In order to significantly increase their chances of success, analysts must dig deeper into the tactics, techniques, and cyphers used by attackers.

Here below we have mentioned the domains used by the attackers in these campaigns:-

  • eleed[.]online
  • eleed[.]cloud
  • timestechnologies[.]org
  • avstats[.]net
  • mannlib[.]com
  • nagios.dreamvps[.]com
  • opswat[.]info

The event logs technique is the most innovative part of the campaign, which is something that we have never seen before. The actor behind this campaign is quite adept at using at least two commercial products, as well as several types of last-stage RATs and anti-detection wrappers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec,...

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has...

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to...

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has...

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to...

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team...