A sophisticated entrada utilizes a novel anti-detection method.
Researchers take discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines.
The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows consequence logs as a embrace for malicious late stage trojans, co-ordinate to a Kaspersky research written report released Wednesday.
Researchers uncovered the campaign in February and believe the unidentified adversaries have been agile for the by month.
“Nosotros consider the outcome logs technique, which we oasis’t seen before, the virtually innovative office of this campaign,” wrote Denis Legezo, senior security researcher with Kaspersky’s Global Research and Analysis Team.
The attackers behind the campaign use a series of injection tools and anti-detection technique to deliver the malware payload. “With at to the lowest degree two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor backside this entrada is quite capable,” Legezo wrote.
Fileless Malware Hides in Plain Sight (Event Logs)
The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who utilize them as a vehicle for delivering shellcode to target machines.
Cobalt Strike and SilentBreak utilizing separate anti-detection AES decryptors, compiled with Visual Studio.
The digital certificate for the Cobalt Strike module varies. According to Kaspersky, “15 different stagers from wrappers to last stagers were signed.”
Adjacent, attackers are and then able to leverage Cobalt Strike and SilentBreak to “inject code into any process” and tin can inject additional modules into Windows system processes or trusted applications such as DLP.
“This layer of infection chain decrypts, maps into memory and launches the code,” they said.
The ability to inject malware into arrangement’s memory classifies information technology as fileless. As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local difficult drive, making it like shooting fish in a barrel to sidestep traditional signature-based security and forensics tools. The technique, where attackers hibernate their activities in a calculator’due south random-access memory and use a native Windows tools such equally PowerShell and Windows Management Instrumentation (WMI), isn’t new.
What is new is new, notwithstanding, is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into viii KB blocks and saved in the binary part of consequence logs.”
Legezo said, “The dropper not only puts the launcher on disk for side-loading, but also writes information messages with shellcode into existing Windows KMS effect log.”
“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs,” he continues. “The dropper searches the issue logs for records with category 0x4142 (“AB” in ASCII) and having the Primal Management Service as a source. If none is institute, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API part (lpRawData parameter).”
Next, a launcher is dropped into the Windows Tasks directory. “At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it,” the researcher wrote.
“Such attention to the event logs in the entrada isn’t limited to storing shellcodes,” the researchers added. “Dropper modules also patch Windows native API functions, related to upshot tracing (ETW) and anti-malware browse interface (AMSI), to brand the infection process stealthier.
Unidentified Adversary Delivers Payload of Pain
Using this stealthy approach, the attackers can evangelize either of their two remote access trojans (RATs), each one a combination of circuitous, custom code and elements of publicly available software.
In all, with their “ability to inject code into whatsoever procedure using Trojans, the attackers are gratis to utilize this feature widely to inject the next modules into Windows system processes or trusted applications.”
Attribution in internet is tricky. The best that analysts tin can do is dig deep into attackers’ tactics, techniques and procedures (TTPs), and the code they write. If those TTPs or that code overlaps with by campaigns from known actors, it might exist the ground for incriminating a suspect.
In this example, the researchers found attribution difficult.
That’southward because, across the unprecedented technique of injecting shellcode into Windows event logs, there’s one other unique component to this campaign: the code itself. While the droppers are commercially available products, the anti-detection wrappers and RATs they come up paired with are custom made (though, the researchers hedged, “some modules which we consider custom, such equally wrappers and last stagers, could possibly be parts of commercial products”).
According to the report, “the lawmaking is quite unique, with no similarities to known malware.” For that reason, the researchers take yet to determine the identity of the attackers.
“If new modules announced and allow usa to connect the activeness to some role player we volition update the name appropriately.”