Attackers Use Event Logs to Hide Fileless Malware

0
3138

Attackers use anti-detection methods.
Plant fileless malware on target machines.
Attackers remain unidentified.

Introduction:
Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines. The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans. Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month. The event logs technique, which we have not seen before, are the most innovative part of this campaign. The attackers behind the campaign use a series of injection tools and anti-detection technique to deliver the malware payload. With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable.

Details:
The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines. Cobalt Strike and SilentBreak utilizing separate anti-detection AES decryptors, compiled with Visual Studio. The digital certificate for the Cobalt Strike module varies. 15 different stagers from wrappers to last stagers are signed. Next, attackers are then able to leverage Cobalt Strike and SilentBreak to inject code into any process, and can inject additional modules into Windows system processes or trusted applications such as DLP. This layer of infection chain decrypts, maps into memory and launches the code.

Currently:
The ability to inject malware into system’s memory classifies it as fileless. As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI) is not new. What is new is new, is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code is divided into 8 KB blocks and saved in the binary part of event logs. The dropper not only puts the launcher on disk for side-loading, but also writes information messages with shellcode into existing Windows KMS event log. The dropped wer.dll is a loader and would not do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (‘AB’ in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter). Next, a launcher is dropped into the Windows Tasks directory. At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Additional Security Info:
Using this stealthy approach, the attackers can deliver either of their two remote access trojans (RATs), each one a combination of complex, custom code and elements of publicly available software. In all, with their ability to inject code into any process using Trojans, the attackers are free to use this feature widely to inject the next modules into Windows system processes or trusted applications. Attribution in cyberspace is tricky. The best that analysts can do is dig deep into attackers’ tactics, techniques and procedures (TTPs), and the code they write. If those TTPs or that code overlaps with past campaigns from known actors, it might be the basis for incriminating a suspect.

Closing:
In this case, the researchers found attribution difficult. That is because, beyond the unprecedented technique of injecting shellcode into Windows event logs, there is one other unique component to this campaign: the code itself. While the droppers are commercially available products, the anti-detection wrappers and RATs they come paired with are custom made. The code is quite unique, with no similarities to known malware. For that reason, the researchers have yet to determine the identity of the attackers.

Reference link for the full story:
Attackers Use Event Logs to Hide Fileless Malware

This information is brought to you by Vectech Solutions, The Gold Standard in Cybersecurity

#stealth #fileless #eventlogs