Hackers hiding malware in Windows Event Logs
Newly discovered method is “impressive”, experts admit
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
In what seems to be a world first, hackers have used a custom malware dropper to plant fileless malware in Windows event logs for the Key Management Services (KMS).
Cybersecurity researchers from Kaspersky first spotted the new technique after being tipped off by a customer with an infectedendpoint. The entire campaign, the researchers are saying, is “very targeted”, and deploys a large set of tools, some of which are custom-built, and some of which are commercial.
According to Kaspersky’s Denis Legezo, this is the first time this technique has been spotted in the wild. As he explained, themalwaredropper copies WerFault.exe, the OS’ real error handling file, into the C:\Windows\Tasks folder, and then adds an encrypted binary resource to Wer.dll (short for Windows Error Reporting) into the same location. That way, through DLL search order hijacking, malicious code can be loaded into the system.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
SilentBreak
The loader’s purpose, Legezo says, is to look for specific lines in the event logs. If it doesn’t find them, it will write pieces of encrypted shellcode, which would later form the malware for the next stage of the attack.
In other words, wer.dll serves as a loader, and without the shellcode in Windows event logs, can’t do much harm.
The entire technique, and the way it’s been pulled off, is “impressive”, Legezo told the publication. “The actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,” he said, hinting at an APT attacker.
Why ‘fileless malware’ is the biggest new threat to your business>This cheeky new malware strain hides in the Windows Registry>Nearly all businesses are expecting to face a cyberattack this year
Who the threat actor is, is anyone’s guess at the moment. According to the researchers, the campaign started in September 2021, and given that the campaign bears no similarities to any previous attacks recorded, it’s likely that we’re looking at a completely new player.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
For the time being, the researchers are dubbing the attacker SilentBreak.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
5 must-have Android apps
