Security News > 2022 > May > Hackers are now hiding malware in Windows Event Logs
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
The investigation revealed that the malware was part of a "Very targeted" campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services, an action completed by a custom malware dropper.
Legezo says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs used in the campaign, Legezo notes that the entire campaign "Looks impressive."
Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI. While some modules in the attack are believed to be custom, the researcher notes that they may be part of the NetSPI platform, for which a commercial license was unavailable for testing.
News URL
https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
Related news
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)