Monday, October 7, 2024
HomeCyber Security NewsAttackers Inject Fileless Malware Directly into Windows Event Logs

Attackers Inject Fileless Malware Directly into Windows Event Logs

Published on

Cybersecurity analysts have discovered an unknown malware campaign combining two methods never before employed by the cybercriminals to infect victims’ machines with fileless malware.

Shellcode can be injected directly into Windows event log files using this technique. The Windows event logs can thus be used by adversaries to hide their malicious Trojans in the process of downloading them.

The researchers discovered this campaign in February, and it is believed that the unknown adversaries have been operating since then.

- Advertisement - EHA

Malware payload is delivered by a series of injection tools and anti-detection techniques used by the attackers behind the campaign.

Infection Chain

In the course of investigating the campaign, experts found a number of techniques and modules that appear to be quite innovative, and sophisticated. In order to technically describe them, they are all divided into different classes.

Here below we have mentioned some sets of modules below:- 

  • Commercial pentesting suites.
  • Custom anti-detection wrappers.
  • Last stage Trojans.

Fileless Malware

At some point, the adversary drives the target’s computer to a legitimate website, in order to launch the first stage of the attack. 

Once the target is lured into downloading the .RAR file, it will be boobytrapped with Cobalt Strike and SilentBreak, they both are pentesting tools and popular among hackers.

Both Cobalt Strike and SilentBreak take advantage of different AES decryptors across both products and compile them using Visual Studio.

The second step consists of an attacker executing Cobalt Strike and SilentBreak in order to inject code into any process and further inject additional modules such as DLP into trusted applications such as Windows system processes.

The code has been broken up into 8KB blocks and stored in the binary part of the event logs in order to avoid detection. Here’s what the security expert at Securelist, DENIS LEGEZO stated:-

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Payload of Pain

The attacker can deliver either of their two remote access trojans (RATs) utilizing this stealthy method. Each one of them is a mixture of highly complicated custom-written code and components of existing public software.

In order to significantly increase their chances of success, analysts must dig deeper into the tactics, techniques, and cyphers used by attackers.

Here below we have mentioned the domains used by the attackers in these campaigns:-

  • eleed[.]online
  • eleed[.]cloud
  • timestechnologies[.]org
  • avstats[.]net
  • mannlib[.]com
  • nagios.dreamvps[.]com
  • opswat[.]info

The event logs technique is the most innovative part of the campaign, which is something that we have never seen before. The actor behind this campaign is quite adept at using at least two commercial products, as well as several types of last-stage RATs and anti-detection wrappers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Chinese Group Hacked US Court Wiretap Systems

Chinese hackers have infiltrated the networks of major U.S. broadband providers, gaining access to...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Chinese Group Hacked US Court Wiretap Systems

Chinese hackers have infiltrated the networks of major U.S. broadband providers, gaining access to...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...