Fileless malware techniques using Windows event logs are observed

For the first time, researchers at security company Kaspersky have observed that a method is being used to make the infection process more obscure by hiding the shellcode in the Windows event log.

A new secret stash for “fileless” malware | Securelist

Hackers are now hiding malware in Windows Event Logs

According to Kaspersky Lab's chief security researcher Dennis Regezo, a method of exploiting event logs was observed in February 2022. It was used in targeted attack campaigns and was the first to be observed in an actual attack.

When an attacker launches malware and attacks the target, he / she takes various measures to prevent it from being detected by security software. “Fileless malware” is more difficult to detect because it uses legitimate tools installed on Windows from the beginning to execute malicious commands and scripts.

Even in this attack, 'WerFault.exe' used in the legitimate error reporting function of Windows is used as a launcher, files related to malware are digitally signed, and the dropper is logging related such as 'EtwEventWriteFull'. Various detection prevention measures have been taken, such as patching API functions to self-addresses with empty functions. According to Mr. Regezo, the point of 'hiding the shellcode in the event log' is particularly revolutionary.

In addition to using at least two commercial toolkits, 'Silent Break (NetSPI)' and 'Cobalt Strike', there are multiple detection prevention programs and final stage RAT (remote control virus), so it is behind the scenes. It is speculated that the attackers who are there are quite good at it.

in Security, Posted by logc_nt