Kaspersky Expert: Beware Of Malware Without Files In Event Logs
JAKARTA - In a recent investigation, Kaspersky experts discovered a fairly specific targeted malware campaign.
This activity stands out for its innovative use of Windows event logs for malware storage, impressive range of attack techniques, such as commercial penetration test suites and anti-detection wrappers including those compiled with Go. Some late-stage Trojans are used during the activity.
Kaspersky experts have detected a targeted malware campaign that uses a unique technique of hiding "fileless" malware in Windows event logs. The initial infection of the system is carried out via the incubator module from the archive downloaded by the victim.
Attackers use a variety of unmatched anti-detection wrappers to keep the last-stage Trojan from being too obvious. To avoid further detection, some modules are signed with digital certificates.
Attackers use two types of Trojans for the last stage. It is used to gain further access to the system, commands from the control server are sent in two ways, namely via HTTP network communication and using named pipes. Some versions of the Trojan successfully use a command system that contains dozens of commands from C2.
The campaign also includes commercial penetration testing tools, namely SilentBreak and CobaltStrike. It combines well-known techniques with customized decryptors and the use of the first observed Windows event logs to hide shellcode into the system.
“We are witnessing an exciting new targeted malware technique. For such attacks, cybercriminals store and then execute encrypted shellcode from Windows event logs," said Denis Legezo, Kaspersky principal security researcher in a statement.
Legezo added that it was an approach they had never seen before and at the same time highlighted the importance of staying alert to threats that could catch you off guard.
"We believe that it is valuable to add the event logs technique to the "anticipate defense" section of the MITER matrix in its "hide artifacts" section," he continued.
He also said the use of multiple commercial penetration test suites is also not something you see every day.
To protect yourself from fileless malware and similar threats, Kaspersky recommends:
Use a reliable endpoint security solution. Installs anti-APT solutions and endpoint response (EDR), enabling timely threat discovery and detection, investigation, and incident remediation capabilities. Also, give your SOC team access to the latest threat intelligence and upgrade them regularly with professional training. Integrate proper endpoint protection and dedicated services that can help protect against high-profile attacks.