The cybersecurity and anti-virus provider, Kaspersky has discovered an unprecedented, targeted malware campaign that uses a unique technique to hide fileless malware inside the Windows event logs. Kaspersky released information on May 4, describing how the hackers were able to hide Trojans in the documents as fileless malware.
How did the hackers do this?
The dropper module was used for the first infection of the system when the victim downloaded an archive. The malware campaign leveraged techniques such as commercial penetration testing suites and anti-detection wrappers, to make sure that the last stage Trojans were less visible as compared to the earlier ones. The malware campaign included two penetration testing tools: SilentBreak and CobaltStrike. During the last stage, two different methods were used to deploy two Trojans, which gave the hackers further access into the system. The methods used to deliver the Trojans were: HTTP network communication and engagement with the named pipes. Some Trojans were able to use a system containing a huge number of C2 commands.
The first known malware hiding took place in September 2021, when the hackers were able to get a target to download an .rar file through an authentic website, which unpacked .dll Trojan files into the hard drive of the victim. This peculiar activity was detected by the researchers at Kaspersky, who were able to look into the incident and determine the details.
“We witnessed a new targeted malware technique that grabbed our attention,” said Denis Legezo, lead security researcher at Kaspersky. “For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it’s worth adding the event logs technique to MITRE Matrix’s Defense Evasion and Hide Artifacts section. The usage of several commercial pentesting suites is also not the kind of thing you see every day.”
To learn more about the event logs technique, you may visit Securelist.com.
Tips by Kaspersky to protect against such an attack
The following recommendations have been made by Kaspersky for Windows users:
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|