Researchers at Kaspersky have found a malicious campaign that used Windows event logs stored in malware, a new technique for attacks in the wild. This method enables threat actors to plant fileless malware in the file system, enabling the attack activity to be as stealthy as possible:
The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.
The attackers employed two types of Trojans for the last stage. These were used to gain further access to the system, commands from control servers are delivered in two ways: over HTTP network communications and engaging the named pipes. Some Trojans versions managed to use a command system containing dozens of commands from C2.
The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes onto the system.
Saryu Nayyar, CEO and Founder of Gurucul had this to say about this unfortunate news:
Fileless Malware Campaign