A new fileless malware technique exploits Windows event logs to hide.

PARIS, May 24 (Benin News/EP) –

The experts of the multinational dedicated to computer security Kaspersky discovered a new technique for hiding fileless malware in enterprise event logs. Windows.

Windows Events is a tool that logs system activity, including computer errors and warnings, which makes it particularly useful for understanding and dealing with any computer problem.

The company’s experts detected a targeted malware campaign using a technique they called “unique”, in which “the attacker recorded and then executed encrypted ‘shellcode’ from Windows event logs “, as the company’s principal researcher, Denis Legezo, pointed out in a statement sent to Europa Press.

The attack begins with the infection of the system, which is carried out through the module Module « dropper (a type of “malware” containing an executable file) of a document downloaded by the victim.

Attackers then inject the malware into fragments of shellcode (which control processes and files) encrypted in Windows event logs. They are then decrypted and executed.

Additionally, they use a variety of anti-detection “wrappers” (programs or codes that wrap other components) in order to avoid detection. Kaspersky points out that some The modules have even been signed with a digital certificate. for greater accuracy.

Once inside the system and in the final phase of their attack, cybercriminals use two types of Trojans to gain more control. These are governed by two different communication mechanisms: HTTP with RC4 encryption and unencrypted named pipes.

Cybercriminals also rely on commercial “pentesting” tools (a set of simulated attacks to detect weaknesses in a system). SilentBreak y CobaltStrike. Thus, they combine known techniques with custom decryptors.

The company’s experts acknowledge that this is “the first time” that they have observed the use of Windows event logs to hide shell codes and carry out such an attack.

HOW TO PROTECT YOURSELF FROM “MALWARE” WITHOUT FILE.

To protect once morest fileless malware and similar threats, Kaspersky recommends using a reliable endpoint security solution that can detect anomalies in file behavior and counter large-scale attacks, as well as install anti-APT and EDR solutions capable of discovering and detecting threats, as well as to investigate and remedy incidents.

Experts also advise providing the Security Operations Center (SOC) team with access to the latest threats, as well as regularly updating its members through professional trainings.

Leave a Replay