Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Kaspersky Warns of Fileless Malware Hidden in Windows Event Logs

Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.

Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.

In a research report published Wednesday, Kaspersky said the first phase of the campaign started around September 2021, with the threat actor luring victims into downloading a digitally-signed Cobalt Strike module.

The use of event logs for malware stashing is a technique that Kaspersky’s security researchers say they have not seen before in live malware attacks.

The researchers haven not attributed the attacks to a known threat actor, but say that the group stands out because it patches Windows native API functions associated with event tracking and the anti-malware scan interface to ensure the infection remains stealthy.

In fact, the attackers are clearly invested in avoiding detection: they use domains with names that mimic legitimate ones, use virtual private servers for hosting, and employ a variety of anti-detection decryptors – observed compilers range from Microsoft’s cl.exe to a recent version of Go.

[ READ: Chinese Hackers Abuse Security Products for Malware Execution ]

According to Kaspersky, the attackers also sign some of the malicious files with digital certificates that appear to be issued by the threat actor themselves. In terms of tooling, the group was seen employing Cobalt Strike, NetSPI (part of SilentBreak’s framework), various custom modules, and additional third-party code.

The threat actor’s anti-detection portfolio includes MSVC, GCC under MinGW, and Go compiler 1.17.2; whitelisted launchers, digital certificates, Go droppers to patch logging-related API functions, and the storing of the last stage malware in the binary part of event logs, broken down in 8 KB blocks.

Advertisement. Scroll to continue reading.

Furthermore, Kaspersky discovered that the function names in the main package have been obfuscated.

The last stage Trojans communicate with the command and control (C&C) server either using HTTP with RC4 encryption, or by employing unencrypted communication with named pipes.

“The latter way is technically able to communicate with any network visible external host, but under Windows named pipes are built upon the SMB protocol, which would barely open for external networks. So these modules most probably serve for lateral movement,” Kaspersky says.

Upon execution, the HTTP Trojan fingerprints the infected system and sends the data to the server if an initial ping to the server is successful.

The malware supports commands to fingerprint the system, execute received commands, download and save payloads, list processes, inject code into target processes, sleep for a specified period of time, and terminate the session with the C&C.

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Cyberespionage Group Targeting M&A, Corporate Transactions Personnel

Related: Chinese Cyberspies Targeting Russian Military

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.