1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Hackers hiding malware in Windows Event Logs

    From TechnologyDaily@1337:1/100 to All on Tue May 10 12:15:04 2022
    Hackers hiding malware in Windows Event Logs

    Date:
    Tue, 10 May 2022 10:56:01 +0000

    Description:
    The first time such a Windows attack technique has been spotted in the wild.

    FULL STORY ======================================================================

    In what seems to be a world first, hackers have used a custom malware dropper to plant fileless malware in Windows event logs for the Key Management Services (KMS).

    Cybersecurity researchers from Kaspersky first spotted the new technique
    after being tipped off by a customer with an infected endpoint . The entire campaign, the researchers are saying, is very targeted, and deploys a large set of tools, some of which are custom-built, and some of which are commercial.

    According to Kasperskys Denis Legezo, this is the first time this technique has been spotted in the wild. As he explained, the malware dropper copies WerFault.exe, the OS real error handling file, into the C:\Windows\Tasks folder, and then adds an encrypted binary resource to Wer.dll (short for Windows Error Reporting) into the same location. That way, through DLL search order hijacking, malicious code can be loaded into the system.

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99. SilentBreak

    The loaders purpose, Legezo says, is to look for specific lines in the event logs. If it doesnt find them, it will write pieces of encrypted shellcode, which would later form the malware for the next stage of the attack.

    In other words, wer.dll serves as a loader, and without the shellcode in Windows event logs, cant do much harm.

    The entire technique, and the way its been pulled off, is impressive, Legezo told the publication. The actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools, he said, hinting at an APT attacker. Read more

    Why 'fileless malware' is the biggest new threat to your business


    This cheeky new malware strain hides in the Windows Registry


    Nearly all businesses are expecting to face a cyberattack this year

    Who the threat actor is, is anyones guess at the moment. According to the researchers, the campaign started in September 2021, and given that the campaign bears no similarities to any previous attacks recorded, its likely that were looking at a completely new player.

    For the time being, the researchers are dubbing the attacker SilentBreak.
    Keep safe from unknown threat actors with the best firewalls around

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/hackers-hiding-malware-in-windows-event-logs/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)