Security News > 2022 > May > Hackers are now hiding malware in Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

The investigation revealed that the malware was part of a "Very targeted" campaign and relied on a large set of tools, both custom and commercially available.

One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services, an action completed by a custom malware dropper.

Legezo says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs used in the campaign, Legezo notes that the entire campaign "Looks impressive."

Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI. While some modules in the attack are believed to be custom, the researcher notes that they may be part of the NetSPI platform, for which a commercial license was unavailable for testing.

News URL

https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/