Sunday, July 21, 2024

Attackers Inject Fileless Malware Directly into Windows Event Logs

Cybersecurity analysts have discovered an unknown malware campaign combining two methods never before employed by the cybercriminals to infect victims’ machines with fileless malware.

Shellcode can be injected directly into Windows event log files using this technique. The Windows event logs can thus be used by adversaries to hide their malicious Trojans in the process of downloading them.

The researchers discovered this campaign in February, and it is believed that the unknown adversaries have been operating since then.

Malware payload is delivered by a series of injection tools and anti-detection techniques used by the attackers behind the campaign.

Infection Chain

In the course of investigating the campaign, experts found a number of techniques and modules that appear to be quite innovative, and sophisticated. In order to technically describe them, they are all divided into different classes.

Here below we have mentioned some sets of modules below:- 

  • Commercial pentesting suites.
  • Custom anti-detection wrappers.
  • Last stage Trojans.

Fileless Malware

At some point, the adversary drives the target’s computer to a legitimate website, in order to launch the first stage of the attack. 

Once the target is lured into downloading the .RAR file, it will be boobytrapped with Cobalt Strike and SilentBreak, they both are pentesting tools and popular among hackers.

Both Cobalt Strike and SilentBreak take advantage of different AES decryptors across both products and compile them using Visual Studio.

The second step consists of an attacker executing Cobalt Strike and SilentBreak in order to inject code into any process and further inject additional modules such as DLP into trusted applications such as Windows system processes.

The code has been broken up into 8KB blocks and stored in the binary part of the event logs in order to avoid detection. Here’s what the security expert at Securelist, DENIS LEGEZO stated:-

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Payload of Pain

The attacker can deliver either of their two remote access trojans (RATs) utilizing this stealthy method. Each one of them is a mixture of highly complicated custom-written code and components of existing public software.

In order to significantly increase their chances of success, analysts must dig deeper into the tactics, techniques, and cyphers used by attackers.

Here below we have mentioned the domains used by the attackers in these campaigns:-

  • eleed[.]online
  • eleed[.]cloud
  • timestechnologies[.]org
  • avstats[.]net
  • mannlib[.]com
  • nagios.dreamvps[.]com
  • opswat[.]info

The event logs technique is the most innovative part of the campaign, which is something that we have never seen before. The actor behind this campaign is quite adept at using at least two commercial products, as well as several types of last-stage RATs and anti-detection wrappers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles