Security News > 2021 > September > This New Malware Family Using CLFS Log Files to Avoid Detection
Cybersecurity researchers have disclosed details about a new malware family that relies on the Common Log File System to hide a second-stage payload in registry transaction files in an attempt to evade detection mechanisms.
FireEye's Mandiant Advanced Practices team, which made the discovery, dubbed the malware PRIVATELOG, and its installer, STASHLOG. Specifics about the identities of the threat actor or their motives remain unclear.
CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs.
"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant researchers explained in a write-up published this week.
What's more, the STASHLOG installer accepts a next-stage payload as an argument, the contents of which are subsequently stashed in a specific CLFS log file.
"Similarly to STASHLOG, PRIVATELOG starts by enumerating *.BLF files in the default user's profile directory and uses the.BLF file with the oldest creation date timestamp," the researchers noted, before using it to decrypt and store the second-stage payload. Mandiant recommends that organizations apply YARA rules to scan internal networks for signs of malware and watch out for potential Indicators of Compromise in "Process", "Imageload" or "Filewrite" events associated with endpoint detection and response system logs.