Posted on September 4, 2021 at 6:39 PM
A New Malware Uses CLFS Log Files To Evade Detection, Researchers Warn
FireEye’s Mandiant cyber security research team has discovered a new malware family that utilizes Common Log File System (CLFS) to plant payload in registry transactions.
CLFS is used for both event logging and data logging. It is used by TxR and TxF to store transactional state changes before a transaction is completed.
The research team, which dubbed the malware PRIVATELOG, also noted that it hides in the payload to avoid being detected while exploiting the host system. The PRIVATELOG installer is dubbed STASHLOG.
However, what is not clear is the identities of the threat actors or the reason behind their operations.
The Malware Could Still Be In Development
Also, Mandiant stated that the malware is yet to be seen in the wild, but it doesn’t mean the threat actors have not launched a second-stage payload.
The researchers suspect that the PRIVATELOG may still be under development or waiting to be used as part of a top target.
CLFS is accessible to both user-mode and kernel-mode applications such as messaging clients, OLTP systems, database systems, network event management, and sharing high-performance transaction logs,
The main issue with these types of files is the fact that there are no available tools that can parse them. That’s because their file formats are not documented or widely used.
As a result, threat actors can keep the data as log records conveniently to avoid detection. The only way to access them is via API functions.
The Malware Has Capabilities To Stay Undetected
Both STASHLOG and PRIVATELOG have capabilities that enable the malicious software to stay on infected devices for a long time, avoiding any detection. They use control flow and obfuscated strings techniques that are designed to make it more difficult for static analysis.
Additionally, the STASHLOG installer admits a next-stage payload as an argument, which can be further arranged in a particular CLFS log file.
What’s more, the STASHLOG installer accepts a next-stage payload as an argument, the contents of which are subsequently stashed in a specific CLFS log file PRIVATELOG utilizes a technique known as DLL search order hijacking that loads the malicious library.
And like STASHLOG, it begins its operations by listing *.BLF files in the default user’s profile directory, using the file along with the first creation date timestamp. The security team state that the malware carries out all these before completing the decryption and storing the second-stage payload.
Organizations Should Apply The YARA Rules
The research team has made some recommendations to avoid becoming victims. According to Mandiant, users need to use the YARA rules when scanning the internal networks. The aim is to monitor the network to identify any evidence of the malware. They should also be on the lookout for any potential indicators of a breach in ‘filewrite” or “imageload” events linked to the EDR system logs.
“Rules to detect CLFS containers matching PRIVATELOG structures or containing encrypted data are also provided,” the researchers noted.
However, they warned that organizations should test the rules properly before running them in a production environment.
The CLFS is a general-purpose logging subsystem that was launched with Windows Server 2003 R2. Since then, it has been coming with later versions of the Windows operating systems.
It operates like other malware that depends on NTFS Extended attributes or Windows Registry to keep their data hidden from the targeted users’ security systems.
The Mandiant researchers also explained that the malware has attributes that retrieve binary data with the Windows API.
Hackers Use The Malware To Abuse Windows System Privileges
According to the researchers, the PRIVATELOG sample is an un-obfuscated 64-bit DLL called prntvpt.dll. It has exports that imitate genuine prntvpt.dll files. The threat actors can hack the search orders used when loading DLLs to load the RIVATELOG from PrintConfig.dll.
The researchers also stated that threat actors can abuse the privileges the Windows system gives when searching for required DLLs to load into a program.
They can elevate privileges or establish persistence by hijacking DLL loads, which can help them evade restrictions when executing the targeted file.