A new malicious campaign uses a never-before-seen anti-detection technique. This unique and sophisticated method for quietly planting fileless malware on target machines involves placing shellcode into Windows event logs. Researchers note that these techniques allow the threat actors behind the malware to use Windows event logs to cover the late-stage trojans effectively.
The report says that the malware has been around since February and the unidentified adversaries are relatively new to the game. Although, they have managed to impress the security experts, who think that the events log technique is unique and innovative.
We are still unsure who’s behind this malware, which makes the matter more complicated. Generally, attribution in cyber security is never easy. Any analyst’s best shot is to look into tactics and techniques used by the attacker to try and link it to some other threat actor that has already been exposed. But we can’t always rely on that to work.
In the face of difficulties with attribution and the general spike in the number of hackers, our best defense is to practice proper cyber safety. We can achieve that by investing in a solid antivirus and using a VPN when going online. As the malware becomes more sophisticated, so do the defense tools, including the NordVPN Threat Protection, which alerts users when a potential threat is detected within the device. With widespread access to the internet and information, becoming a threat actor takes less. This is why assuming responsibility for our own cyber safety is the most surefire way to stay safe online.
The attackers behind the campaign use a series of injection tools and the aforementioned anti-detection technique to deliver the malware payload. The group has at least two commercial products and several types of last-stage RAT and anti-detection wrappers, which leads the security researcher to believe that the group behind this malware is quite capable.
The first stage of the attack involves the threat actor driving the targets to a legitimate website and prompting them to download a compressed .RAR file, which contains the network penetration testing tools called SilentBreak and Cobalt Strike. These tools are used regularly by hackers to deliver shellcodes to target devices. The testing tools use different anti-detection AES decryptors compiled with Visual Studio.
Following that, the attackers can leverage Cobalt Strike and SilentBreak to inject code into any process they want while injecting additional modules into Windows system processes and even trusted applications. This particular malware decrypts maps into memory and launches the code. This malware is called fileless because it contains the kind of code that can inject malware into the system’s memory without leaving any traces behind.
But this isn’t what makes this malware unique and especially tricky. It’s the fact that the encrypted shellcode that contains the malware gets embedded into Windows event logs. This malware is divided into 8 KB blocks and then saved in the binary part of the events log to avoid detection. The dropper puts the launcher on the disk for side-loading while simultaneously writing shell-code information messages into the event log.
Using this complicated scheme, the threat actor can deliver either of its two remote access trojans, both sophisticated and innovative, utilizing publicly available software. What’s even more concerning is that with the actor’s ability to inject code into any process using Trojans, they are perfectly capable of injecting the next modules into Windows system processes or the applications.