Posted on May 5, 2022 at 6:25 PM
Researchers at cybersecurity firm Kaspersky have discovered a malicious campaign that uses a new technique to plant fileless malware on target achiness. According to the report, the hackers inject shellcode directly into the Windows event logs, enabling them to use the Windows event logs as a cover for malicious late-stage Trojans. The campaign was discovered by the researchers in February but believed the threat actors have been active months ago.
“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” senior security researcher with Kaspersky, Denis Legezo, commented.
The Hackers Lure Their Victims To Download Cobalt Strike Module
In the research report, Kaspersky stated that the first stage of the attack started in September 2021. The hackers lure their victims to download a digitally-signed Cobalt Strike module.
Using event logs for malware stashing is a new technique that has never been seen before in the wild, according to security researchers.
Although the attacks have not been linked to any known threat actor, the group uses a unique method because it patches Windows native API functions linked with an anti-malware scan and event tracking interface to make sure the attack remains potent.
The threat actors have also devised means of avoiding detection by using domains with names that imitate legitimate ones. They also employ different anti-detection decryptors and use virtual private servers to stay under the radar and avoid being exposed.
Additionally, the threat actors behind the campaign utilize a wide range of anti-detection techniques and injection tools to deliver the malware payload. They have invested heavily in the act, and are using at least two commercial products as their tools to launch the attack. Apart from the investments, the researchers stated that the threat actors behind the campaign are sophisticated and highly skilled.
The Threat Actor Uses 15 Different Digital Certificates
The researchers stated that the first stage of the attack uses a legitimate website and entices the targets to download a compressed .RAR file. They are boobytrapped with the network penetration testing tools known as SilentBreak and Cobalt Strike. These are two popular tools that other threat actors use to deliver shellcode when launching attacks.
SilentBreak and Cobalt Strike use different anti-detection AES decryptors, compiled with Visual Studio.
The researchers also noted that the attacker use different digital certificates for the Cobalt Strike tool. In this case, the attackers signed 15 different digital certificates from the first stage to the last phase of the attack.
After setting up the first stage of the attack, the threat actors leverage SilentBreak and Cobalt Strike to “inject code into the process”. Additionally, they are capable of injecting more modules into legitimate applications or the Windows system processes, depending on how their first code injection goes.
The ability of the threat actor to plant malware into the system’s memory was classified as fileless. It is a unique way of planting malware on computer systems as it leaves no trace or artifacts on the local hard drive. This makes it easier for the hackers to circumvent the security systems and stay hidden in the affected machine for a long time.
The Hackers Are Using A never-seen-before Technique
The method allows hackers to hide their operations in a computer’s RAM while utilizing a native Windows tool like Windows Management Instrumentation and PowerShell. The researchers noted that this method has been used by several other threat actors in the past.
However, what is new is how the hackers plant the encrypted shellcode that contains malicious payload into the Windows event logs. The hackers also go further by dividing the code into 8 KB blocks to avoid detection.
Apart from placing the launcher on the disk for side-loading, the dropper also writes information into the existing Windows KMS log using the shellcode.
According to Legezo, the dropped wer.dll loader does not have any impact unless it is supported by the shellcode hidden in the Windows event logs. The threat actors are well aware of this fact, which is why they decided to deploy the shellcode.
But the dropper also performs an important function as well. It searches for category 0x4142 in the event logs, using the Key Management Service as a source. If it fails to find anyone, the 8KB packs of the shellcode are coded into the information logging message through the ReportEvent() Windows API function.
The researchers warned that the code used by the threat actors is unique and has not been seen in any known malware before.