A new sophisticated campaign uses an interesting anti-detection method.
Researchers have discovered a malicious campaign using a never-before-seen technique for quietly planting fileless malware on target machines.
The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wed.
Researchers uncovered the campaign in Feb. & believe the unidentified adversaries have been active for the past month.
“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” wrote Denis Legezo, Senior Security Researcher with Kaspersky’s Global Research & Analysis Team.
The attackers behind the campaign use a series of injection tools & anti-detection technique to deliver the malware payload.
“With at least 2 commercial products in use, plus several types of last-stage RAT & anti-detection wrappers, the actor behind this campaign is quite capable,” Legezo wrote.
Fileless Malware Hides in Sight
The 1st stage of the attack involves the adversary driving targets to a legitimate website & enticing the target to download a compressed .RAR file booby-trapped with the network penetration testing tools called Cobalt Strike & Silent Break.
Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines.
Cobalt Strike & Silent Break using separate anti-detection AES decryptors, compiled with Visual Studio.
The digital certificate for the Cobalt Strike module varies. According to Kaspersky, “15 different stagers from wrappers to last stagers were signed.”
Attackers are then able to use Cobalt Strike & Silent Break to “inject code into any process” & can inject additional modules into Windows system processes or trusted applications such as DLP.
“This layer of infection chain decrypts, maps into memory & launches the code,” they observed.
The ability to inject malware into system’s memory classifies it as fileless. As the name indicates, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security & forensics tools.
The technique, where attackers hide their activities in a computer’s random-access memory & use a native Windows tools such as PowerShell & Windows Management Instrumentation (WMI), is not new.
What is new is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks & saved in the binary part of event logs.”
Legezo stated, “The dropper not only puts the launcher on disk for side-loading, but also writes information messages with shellcode into existing Windows KMS event log.”
“The dropped wer.dll is a loader & wouldn’t do any harm without the shellcode hidden in Windows event logs,” he continues.
“The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) & having the Key Management Service as a source. If none is found, the 8KB pieces of shellcode are written into the information logging messages via the Report Event() Windows API function (lpRawData parameter).”
Next, a launcher is dropped into the Windows Tasks directory. “At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it,” the researcher wrote.
“Such attention to the event logs in the campaign isn’t limited to storing shellcodes,” the researchers added. “Dropper modules also patch Windows native API functions, related to event tracing (ETW) & anti-malware scan interface (AMSI), to make the infection process stealthier.
Unidentified Adversary Delivers Payload of Pain
Using this stealth approach, the attackers can deliver either of their 2 remote access trojans (RATs), each 1 a combination of complex, custom code & elements of publicly available software.
With their “ability to inject code into any process using Trojans, the attackers are free to use this feature widely to inject the next modules into Windows system processes or trusted applications.”
Attribution in cyberspace is hard. The best that analysts can do is to look into attackers’ tactics, techniques & procedures (TTPs), & the code they write. If those TTPs or that code overlaps with past campaigns from known players, it might be the basis for ‘fingering’ a suspect.
Here, the researchers found attribution difficult.
That is because, beyond the unprecedented technique of injecting shellcode into Windows event logs, there is 1 other unique component to this campaign – the code itself.
While the droppers are commercially available products, the anti-detection wrappers & RATs they come paired with are custom made (though, the researchers hedged, “some modules which we consider custom, such as wrappers & last stagers, could possibly be parts of commercial products”).
Concludes the report, “the code is quite unique, with no similarities to known malware.” For that reason, the researchers have yet to determine the identity of the attackers.
“If new modules appear & allow us to connect the activity to some actor we will update the name accordingly.”