Kaspersky discovers fileless malware inside Windows Event logs


By MYBRANDBOOK


Kaspersky discovers fileless malware inside Windows Event logs

Recently, Kaspersky published a detailed analysis of a complex attack involving a combination of various techniques and pieces of software and highlighted the use of Windows event logs as something completely new.

 

The Windows event log and Event Viewer are supposed to help users diagnose security issues and other problems in PCs. However, Kaspersky researchers encountered one hacker who used the event log itself against their target. The attacker inserted shellcode into the target's Windows event logs, leaving no files for antivirus to detect.

 

The hacking groups employed two types of Trojans for the last stage, gaining further access to the system. This was delivered through two different methods, both via HTTP network communications and by engaging the named pipes.

 

The HTTP network method saw the malicious file target the Windows system files, hiding a piece of malware by creating a duplicate of an existing file with “1.1” added to the string, which is assumed to be the malicious version of a file.

 

The other method is known as the Named-Based Pipes Trojan, which locates the Microsoft Help Data Services Module library within Windows OS files and then grabs an existing file to overwrite it with a malware version that can execute a string of commands. Once the malicious version is run, the victim’s device is scraped for architecture and Windows version information.

 

Denis Legezo, lead security researcher at Kaspersky said, “We witnessed a new targeted malware technique that grabbed our attention. For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it’s worth adding the event logs technique to MITRE Matrix’s Defense Evasion and Hide Artifacts section. The usage of several commercial pentesting suites is also not the kind of thing you see every day.”

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org