Hackers now hide malware in Windows event logs

Security researchers noticed a malicious campaign that used Windows event logs to store malware, a technique that had not previously been publicly documented for attacks in the wild.

The method allowed the threat actor behind the attack to plant fileless malware on the file system in an attack packed with techniques and modules designed to keep the activity as stealthy as possible.

Add payloads to Windows event logs

Kaspersky researchers collected a sample of the malware after a company product equipped with technology for behavior-based detection and anomaly control identified it as a threat on a customer’s computer.

The investigation revealed that the malware was part of a “highly targeted” campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for Key Management Services (KMS), an action completed by a custom malware dropper.

Denis Legezo, Principal Security Researcher at Kaspersky, says that this method has been used “for the first time ‘in the wild’ during the malicious campaign.”

The dropper copies the legitimate operating system error handling file WerFault.exe to ‘C:WindowsTasks‘and then drop an encrypted binary resource into’wer.dll‘(Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code.

DLL hijacking is a hacking technique that exploits legitimate programs with insufficient controls to load a malicious dynamic-link library (DLL) from an arbitrary path into memory.

Legezo says that the purpose of the dropper is to load to disk for the sideloading process and to look for particular records in the event logs (category 0x4142 – ‘AB’ in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which is then combined to form the code for the next scenario.

The new technique discussed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently a Mandiant Red Team intern, created and published on GitHub the source code for injecting payloads into Windows event logs.

technically advanced actor

Based on the various techniques and modules (penetration testing suites, custom anti-detection wrappers, end-stage Trojans) used in the campaign, Legezo says that the entire campaign “looks impressive.”

He told BleepingComputer that “the actor behind the campaign is quite skilled on his own, or at least has a good set of fairly deep trading tools,” indicating an APT-level adversary.

Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI (formerly SilentBreak).

While some attack modules are believed to be custom, the researcher notes that they may be part of the NetSPI platform, for which a commercial license for testing was not available.

For example, two Trojans named ThrowbackDLL.dll and SlingshotDLL.dll may be tools with the same name that are known to be part of the SilentBreak penetration testing framework.

The investigation traced the initial stage of the attack to September 2021, when the victim was tricked into downloading a RAR file from the file.io file-sharing service.

The threat actor then spread the Cobalt Strike module, which was signed with a certificate from a company called Fast Invest ApS. The certificate was used to sign 15 files and none of them were legitimate.

In most cases, the ultimate purpose of targeted malware with such end-stage functionality is to obtain some valuable data from victims, the researcher told BleepingComputer.

While studying the attack, Kaspersky found no similarities to previous campaigns associated with a known threat actor.

Until a connection to a known adversary is established, researchers track new activity as SilentBreak, named after the tool most used in the attack.