Attackers Use Event Logs to Hide Fileless Malware

upstart writes:

Attackers Use Event Logs to Hide Fileless Malware:

Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines.

The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wednesday.

Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month.

"We consider the event logs technique, which we haven't seen before, the most innovative part of this campaign," wrote Denis Legezo, senior security researcher with Kaspersky's Global Research and Analysis Team.

[...] The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines.

[...] Next, attackers are then able to leverage Cobalt Strike and SilentBreak to "inject code into any process" and can inject additional modules into Windows system processes or trusted applications such as DLP.

[...] What is new is new, however, is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code "is divided into 8 KB blocks and saved in the binary part of event logs."

Read more of this story at SoylentNews.