Kaspersky Uncovers Fileless Malware Inside Windows Event Logs
Texas RE Training Reminder Reliability 101: Navigating Noncompliance Resolution
June 24, 2022CISA Releases Second Version of Guidance for Secure Migration to the Cloud
June 27, 2022
The cybersecurity and anti-virus provider, Kaspersky has discovered an unprecedented, targeted malware campaign that uses a unique technique to hide fileless malware inside the Windows event logs. Kaspersky released information on May 4, describing how the hackers were able to hide Trojans in the documents as fileless malware.
How did the hackers do this?
The dropper module was used for the first infection of the system when the victim downloaded an archive. The malware campaign leveraged techniques such as commercial penetration testing suites and anti-detection wrappers, to make sure that the last stage Trojans were less visible as compared to the earlier ones. The malware campaign included two penetration testing tools: SilentBreak and CobaltStrike. During the last stage, two different methods were used to deploy two Trojans, which gave the hackers further access into the system. The methods used to deliver the Trojans were: HTTP network communication and engagement with the named pipes. Some Trojans were able to use a system containing a huge number of C2 commands.
The first known malware hiding took place in September 2021, when the hackers were able to get a target to download an .rar file through an authentic website, which unpacked .dll Trojan files into the hard drive of the victim. This peculiar activity was detected by the researchers at Kaspersky, who were able to look into the incident and determine the details.
“We witnessed a new targeted malware technique that grabbed our attention,” said Denis Legezo, lead security researcher at Kaspersky. “For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it’s worth adding the event logs technique to MITRE Matrix’s Defense Evasion and Hide Artifacts section. The usage of several commercial pentesting suites is also not the kind of thing you see every day.”
To learn more about the event logs technique, you may visit Securelist.com.
Tips by Kaspersky to protect against such an attack
The following recommendations have been made by Kaspersky for Windows users:
- Use a reliable endpoint security solution. A dedicated component in Kaspersky Endpoint Security for Business can detect anomalies in the behavior of files and reveal any fileless activity.
- Install anti-APT and EDR solutions.
- Integrate proper endpoint protection and dedicated services to help protect against high-profile attacks. It is best to try and identify and stop attacks in their early stages.
