Friday, March 29, 2024

Attackers Inject Fileless Malware Directly into Windows Event Logs

Cybersecurity analysts have discovered an unknown malware campaign combining two methods never before employed by the cybercriminals to infect victims’ machines with fileless malware.

Shellcode can be injected directly into Windows event log files using this technique. The Windows event logs can thus be used by adversaries to hide their malicious Trojans in the process of downloading them.

The researchers discovered this campaign in February, and it is believed that the unknown adversaries have been operating since then.

Malware payload is delivered by a series of injection tools and anti-detection techniques used by the attackers behind the campaign.

Infection Chain

In the course of investigating the campaign, experts found a number of techniques and modules that appear to be quite innovative, and sophisticated. In order to technically describe them, they are all divided into different classes.

Here below we have mentioned some sets of modules below:- 

  • Commercial pentesting suites.
  • Custom anti-detection wrappers.
  • Last stage Trojans.

Fileless Malware

At some point, the adversary drives the target’s computer to a legitimate website, in order to launch the first stage of the attack. 

Once the target is lured into downloading the .RAR file, it will be boobytrapped with Cobalt Strike and SilentBreak, they both are pentesting tools and popular among hackers.

Both Cobalt Strike and SilentBreak take advantage of different AES decryptors across both products and compile them using Visual Studio.

The second step consists of an attacker executing Cobalt Strike and SilentBreak in order to inject code into any process and further inject additional modules such as DLP into trusted applications such as Windows system processes.

The code has been broken up into 8KB blocks and stored in the binary part of the event logs in order to avoid detection. Here’s what the security expert at Securelist, DENIS LEGEZO stated:-

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Payload of Pain

The attacker can deliver either of their two remote access trojans (RATs) utilizing this stealthy method. Each one of them is a mixture of highly complicated custom-written code and components of existing public software.

In order to significantly increase their chances of success, analysts must dig deeper into the tactics, techniques, and cyphers used by attackers.

Here below we have mentioned the domains used by the attackers in these campaigns:-

  • eleed[.]online
  • eleed[.]cloud
  • timestechnologies[.]org
  • avstats[.]net
  • mannlib[.]com
  • nagios.dreamvps[.]com
  • opswat[.]info

The event logs technique is the most innovative part of the campaign, which is something that we have never seen before. The actor behind this campaign is quite adept at using at least two commercial products, as well as several types of last-stage RATs and anti-detection wrappers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles