Home / About / Threat Intelligence / New technique to hide malware in event logs

Overview

Security researchers have found malware using a new technique to hide malicious code from the file system. By hiding shellcode in Windows event logs, the malware can avoid being picked up by file system scanning.

The initial infection technique for this campaign was to trick users into running a malicious file. There were a few layers of anti-detection before creating an autorun task using a legitimate binary, combined with a malicious .dll file.

Impact

Malware using this technique will be harder to detect.

Vulnerability Detection

There’s no specific vulnerability associated with this malware. It’s a payload that is deployed after initial access.

Affected Products

Microsoft Windows.

Indicators of Compromise

File Hashes (malicious documents, trojans, emails, decoys) Dropper 822680649CDEABC781903870B34FB7A7 345A8745E1E3AE576FBCC69D3C8A310B EF825FECD4E67D5EC5B9666A21FBBA2A FA5943C673398D834FB328CE9B62AAAD

Logs code launcher 2080A099BDC7AA86DB55BADFFBC71566 0D415973F958AC30CB25BD845319D960 209A4D190DC1F6EC0968578905920641 E81187E1F2E6A2D4D3AD291120A42CE7

HTTP Trojan ACE22457C868DF82028DB95E5A3B7984 1CEDF339A13B1F7987D485CD80D141B6 24866291D5DEEE783624AB51516A078F 13B5E1654869985F2207D846E4C0DBFD

Named pipes Trojan and similar 59A46DB173EA074EC345D4D8734CB89A 0B40033FB7C799536C921B1A1A02129F 603413FC026E4713E7D3EEDAB0DF5D8D

Anti-detection wrappers/decryptors/launchers, not malicious by themselves 42A4913773BBDA4BC9D01D48B4A7642F 9619E13B034F64835F0476D68220A86B 0C0ACC057644B21F6E76DD676D4F2389 16EB7B5060E543237ECA689BDC772148 54271C17684CA60C6CE37EE47B5493FB 77E06B01787B24343F62CF5D5A8F9995 86737F0AE8CF01B395997CD5512B8FC8 964CB389EBF39F240E8C474E200CAAC3 59A46DB173EA074EC345D4D8734CB89A A5C236982B0F1D26FB741DF9E9925018 D408FF4FDE7870E30804A1D1147EFE7C DFF3C0D4F6E2C26936B9BD82DB5A1735 E13D963784C544B94D3DB5616E50B8AE E9766C71159FC2051BBFC48A4639243F F3DA1E157E3E344788886B3CA29E02BD

Host-based IoCs C:\Windows\Tasks\wer.dll C:\Windows\Tasks\WerFault.exe copy of the legitimate one to sideload the malicious .dll Named pipe MonolithPipe Event logs with category 0x4142 in Key Management Service source. Events ID auto increments starting from 1423.

PDB paths C:\Users\admin\source\repos\drx\x64\Release\sb.pdb C:\Users\admin\source\repos\drx\x64\Release\zOS.pdb C:\Users\admin\source\repos\drx\x64\Release\ThrowbackDLL.pdb C:\Users\admin\source\repos\drx\x64\Release\drxDLL.pdb C:\Users\admin\source\repos\drx\x64\Release\monolithDLL.pdb

Threat Landscape

The researchers say the code has no similarities to previously known campaigns.

Mitre Methodologies

S0154 – Cobalt Strike

T1055 – Process Injection

T1071Application Layer Protocol: Web Protocols

T1140 – Deobfuscate/Decode Files or Information

T1204.002User Execution: Malicious File

T1480 – Execution Guardrails

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1562.006Impair Defenses: Indicator Blocking

T1564 – Hide Artifacts

T1574.001Hijack Execution Flow: DLL Search Order Hijacking

T1583.001 – Acquire Infrastructure: Domains

T1583.003 – Virtual Private Server

T1587.002 – Code Signing Certificates

T1587.003 – Digital Certificates

Further Information

A new secret stash for “fileless” malware