Get in Touch
New technique to hide malware in event logs
Overview
Security researchers have found malware using a new technique to hide malicious code from the file system. By hiding shellcode in Windows event logs, the malware can avoid being picked up by file system scanning.
The initial infection technique for this campaign was to trick users into running a malicious file. There were a few layers of anti-detection before creating an autorun task using a legitimate binary, combined with a malicious .dll file.
Impact
Malware using this technique will be harder to detect.
Vulnerability Detection
There’s no specific vulnerability associated with this malware. It’s a payload that is deployed after initial access.
Affected Products
Microsoft Windows.
Indicators of Compromise
File Hashes (malicious documents, trojans, emails, decoys) Dropper 822680649CDEABC781903870B34FB7A7 345A8745E1E3AE576FBCC69D3C8A310B EF825FECD4E67D5EC5B9666A21FBBA2A FA5943C673398D834FB328CE9B62AAAD
Logs code launcher 2080A099BDC7AA86DB55BADFFBC71566 0D415973F958AC30CB25BD845319D960 209A4D190DC1F6EC0968578905920641 E81187E1F2E6A2D4D3AD291120A42CE7
HTTP Trojan ACE22457C868DF82028DB95E5A3B7984 1CEDF339A13B1F7987D485CD80D141B6 24866291D5DEEE783624AB51516A078F 13B5E1654869985F2207D846E4C0DBFD
Named pipes Trojan and similar 59A46DB173EA074EC345D4D8734CB89A 0B40033FB7C799536C921B1A1A02129F 603413FC026E4713E7D3EEDAB0DF5D8D
Anti-detection wrappers/decryptors/launchers, not malicious by themselves 42A4913773BBDA4BC9D01D48B4A7642F 9619E13B034F64835F0476D68220A86B 0C0ACC057644B21F6E76DD676D4F2389 16EB7B5060E543237ECA689BDC772148 54271C17684CA60C6CE37EE47B5493FB 77E06B01787B24343F62CF5D5A8F9995 86737F0AE8CF01B395997CD5512B8FC8 964CB389EBF39F240E8C474E200CAAC3 59A46DB173EA074EC345D4D8734CB89A A5C236982B0F1D26FB741DF9E9925018 D408FF4FDE7870E30804A1D1147EFE7C DFF3C0D4F6E2C26936B9BD82DB5A1735 E13D963784C544B94D3DB5616E50B8AE E9766C71159FC2051BBFC48A4639243F F3DA1E157E3E344788886B3CA29E02BD
Host-based IoCs C:\Windows\Tasks\wer.dll C:\Windows\Tasks\WerFault.exe copy of the legitimate one to sideload the malicious .dll Named pipe MonolithPipe Event logs with category 0x4142 in Key Management Service source. Events ID auto increments starting from 1423.
PDB paths C:\Users\admin\source\repos\drx\x64\Release\sb.pdb C:\Users\admin\source\repos\drx\x64\Release\zOS.pdb C:\Users\admin\source\repos\drx\x64\Release\ThrowbackDLL.pdb C:\Users\admin\source\repos\drx\x64\Release\drxDLL.pdb C:\Users\admin\source\repos\drx\x64\Release\monolithDLL.pdb
Threat Landscape
The researchers say the code has no similarities to previously known campaigns.
Mitre Methodologies
S0154 – Cobalt Strike
T1055 – Process Injection
T1071 – Application Layer Protocol: Web Protocols
T1140 – Deobfuscate/Decode Files or Information
T1204.002 – User Execution: Malicious File
T1480 – Execution Guardrails
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1562.006 – Impair Defenses: Indicator Blocking
T1564 – Hide Artifacts
T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
T1583.001 – Acquire Infrastructure: Domains
T1583.003 – Virtual Private Server
T1587.002 – Code Signing Certificates
T1587.003 – Digital Certificates