Security News > 2022 > May > Hackers are now hiding malware in Windows Event Logs
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
The investigation revealed that the malware was part of a "Very targeted" campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services, an action completed by a custom malware dropper.
Legezo says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs used in the campaign, Legezo notes that the entire campaign "Looks impressive."
Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI. While some modules in the attack are believed to be custom, the researcher notes that they may be part of the NetSPI platform, for which a commercial license was unavailable for testing.
News URL
https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
Related news
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites (source)