Kaspersky experts have uncovered a new targeted fileless malware campaign. It is characterized by an innovative use of Windows Event Logs for storing malware and a variety of techniques used by the attackers.
Commercial pentesting suites and anti-detection wrappers are used, including those compiled with Go. Several latest-generation Trojans were also deployed as part of the campaign.
New ways of a fileless malware attack
Kaspersky experts have discovered a targeted malware operation using a unique technique: fileless malware is hidden in Windows event logs. The system was initially infected via the Dropper module from an archive downloaded by the victim. The attacker used a variety of anti-detection wrappers to further obfuscate the last-stage Trojans. To avoid further detection, some modules were signed with a digital certificate.
In the last phase, the attackers used two types of Trojans. These were used to gain further access to the system. Commands from control servers were transmitted in two ways: via HTTP network communication and the so-called pipes. Some trojan versions managed to use a command system containing dozens of commands from C2.
Shellcodes are hidden in the Windows system
The campaign also included commercial pentesting tools, including SilentBreak and CobaltStrike. It combined well-known techniques with customized decryption programs and the first-observed use of Windows Event Logs to hide shellcodes on the system.
“We observed a new targeted malware technique that caught our attention. For the attack, the actor saved and then executed an encrypted shellcode from Windows event logs,” said Denis Legezo, senior security researcher at Kaspersky. “It's an approach we've never seen before and shows the importance of being alert to threats that might otherwise catch you unprepared. We think it's worth adding the Event Logs technique to the MITER Matrix's Defense Evasion section in the Hide Artefacts part. The use of different commercial pentesting suites is also not common.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/