Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.
In a research report published Wednesday, Kaspersky said the first phase of the campaign started around September 2021, with the threat actor luring victims into downloading a digitally-signed Cobalt Strike module.
The use of event logs for malware stashing is a technique that Kaspersky’s security researchers say they have not seen before in live malware attacks.
The researchers haven not attributed the attacks to a known threat actor, but say that the group stands out because it patches Windows native API functions associated with event tracking and the anti-malware scan interface to ensure the infection remains stealthy.
In fact, the attackers are clearly invested in avoiding detection: they use domains with names that mimic legitimate ones, use virtual private servers for hosting, and employ a variety of anti-detection decryptors – observed compilers range from Microsoft’s cl.exe to a recent version of Go.
[ READ: Chinese Hackers Abuse Security Products for Malware Execution ]
According to Kaspersky, the attackers also sign some of the malicious files with digital certificates that appear to be issued by the threat actor themselves. In terms of tooling, the group was seen employing Cobalt Strike, NetSPI (part of SilentBreak’s framework), various custom modules, and additional third-party code.
The threat actor’s anti-detection portfolio includes MSVC, GCC under MinGW, and Go compiler 1.17.2; whitelisted launchers, digital certificates, Go droppers to patch logging-related API functions, and the storing of the last stage malware in the binary part of event logs, broken down in 8 KB blocks.
Furthermore, Kaspersky discovered that the function names in the main package have been obfuscated.
The last stage Trojans communicate with the command and control (C&C) server either using HTTP with RC4 encryption, or by employing unencrypted communication with named pipes.
“The latter way is technically able to communicate with any network visible external host, but under Windows named pipes are built upon the SMB protocol, which would barely open for external networks. So these modules most probably serve for lateral movement,” Kaspersky says.
Upon execution, the HTTP Trojan fingerprints the infected system and sends the data to the server if an initial ping to the server is successful.
The malware supports commands to fingerprint the system, execute received commands, download and save payloads, list processes, inject code into target processes, sleep for a specified period of time, and terminate the session with the C&C.
Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution
Related: Cyberespionage Group Targeting M&A, Corporate Transactions Personnel