Attackers Inject Fileless Malware Directly into Windows Event Logs

Cybersecurity analysts have discovered an unknown malware campaign combining two methods never before employed by the cybercriminals to infect victims’ machines with fileless malware.

Shellcode can be injected directly into Windows event log files using this technique. The Windows event logs can thus be used by adversaries to hide their malicious Trojans in the process of downloading them.

The researchers discovered this campaign in February, and it is believed that the unknown adversaries have been operating since then.

Malware payload is delivered by a series of injection tools and anti-detection techniques used by the attackers behind the campaign.

Infection Chain

In the course of investigating the campaign, experts found a number of techniques and modules that appear to be quite innovative, and sophisticated. In order to technically describe them, they are all divided into different classes.

Here below we have mentioned some sets of modules below:- 

  • Commercial pentesting suites.
  • Custom anti-detection wrappers.
  • Last stage Trojans.

Fileless Malware

At some point, the adversary drives the target’s computer to a legitimate website, in order to launch the first stage of the attack. 

Once the target is lured into downloading the .RAR file, it will be boobytrapped with Cobalt Strike and SilentBreak, they both are pentesting tools and popular among hackers.

Both Cobalt Strike and SilentBreak take advantage of different AES decryptors across both products and compile them using Visual Studio.

The second step consists of an attacker executing Cobalt Strike and SilentBreak in order to inject code into any process and further inject additional modules such as DLP into trusted applications such as Windows system processes.

The code has been broken up into 8KB blocks and stored in the binary part of the event logs in order to avoid detection. Here’s what the security expert at Securelist, DENIS LEGEZO stated:-

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Payload of Pain

The attacker can deliver either of their two remote access trojans (RATs) utilizing this stealthy method. Each one of them is a mixture of highly complicated custom-written code and components of existing public software.

In order to significantly increase their chances of success, analysts must dig deeper into the tactics, techniques, and cyphers used by attackers.

Here below we have mentioned the domains used by the attackers in these campaigns:-

  • eleed[.]online
  • eleed[.]cloud
  • timestechnologies[.]org
  • avstats[.]net
  • mannlib[.]com
  • nagios.dreamvps[.]com
  • opswat[.]info

The event logs technique is the most innovative part of the campaign, which is something that we have never seen before. The actor behind this campaign is quite adept at using at least two commercial products, as well as several types of last-stage RATs and anti-detection wrappers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

4 minutes ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

13 minutes ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

37 minutes ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

50 minutes ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

16 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

17 hours ago