Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
Besides the event logs the actor is obsessed with memory injection – lots of RAT commands are related to it and are used heavily. Along with the aforementioned custom modules and techniques, several commercial pentesting tools like Cobalt Strike and SilentBreak’s toolset are used.
The infection chain
In February 2022 Denis Legezo, a lead security researcher at Kaspersky observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system.
Researchers divide it into classes to technically describe this campaign. Actually, covers the following sets of modules: commercial pentesting suites, custom anti-detection wrappers around them, and last stage Trojans.
The investigation tracked the initial stage of the attack to September 2021 when the victim was tricked into downloading a RAR archive from the file sharing service file.io.
The threat actor then spread the Cobalt Strike module, which was signed with a certificate from a company named Fast Invest ApS. The certificate was used to sign 15 files and none of them were legitimate.
Due to the different infection scenarios for all the targeted hosts, we will describe just one of the observed ones. Having the ability to inject code into any process using Trojans, the attackers are free to use this feature widely to inject the next modules into Windows system processes or trusted applications such as DLP.
For the anti-detection wrappers, different compilers are in use. Besides MSVC, Go compiler 1.17.2 and GCC under MinGW have been used.
Dropper in DLL, search order hijacking
This code is injected into Windows processes such as explorer.exe. At its single entry point after being loaded into the virtual address space of the launcher process, the dropper removes files created by previous stages or executions.
Firstly, the module copies the original legitimate OS error handler WerFault.exe to C:\Windows\Tasks. Then it drops one of the encrypted binary resources to the wer.dll file in the same directory for typical DLL search order hijacking. For the sake of persistence, the module sets the newly created WerFault.exe to autorun, creating a Windows Problem Reporting value in the Software\Microsoft\Windows\CurrentVersion\Run Windows system registry branch.
The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written. Created event IDs are automatically incremented, starting from 1423. Microsoft Key Management Service (KMS) enables organizations to activate systems within their own network, eliminating the need for individual computers to connect to Microsoft for product activation.
The event logs technique, which we haven’t seen before, is the most innovative part of this campaign. With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable. There is the possibility that some of the modules we described here as custom ones are part of a commercial toolset as well. The code is quite unique, with no similarities to known malware. Securelist will continue to monitor similar activity.
Also Read: Latest Cyber Security News – Hacker News !
Indicators of Compromise
File Hashes (malicious documents, trojans, emails, decoys)
Anti-detection wrappers/decryptors/launchers, not malicious by themselves
C:\Windows\Tasks\WerFault.exe copy of the legit one to sideload the malicious .dll
Named pipe MonolithPipe
Event logs with category 0x4142 in Key Management Service source. Events ID auto increments starting from 1423.