Attackers Use Event Logs to Hide Fileless Malware

A sophisticated campaign utilizes a novel anti-detection method.

Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines.

The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wednesday.

Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month.

“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” wrote Denis Legezo, senior security researcher with Kaspersky’s Global Research and Analysis Team.

The attackers behind the campaign use a series of injection tools and anti-detection technique to deliver the malware payload. “With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable,” Legezo wrote.

Fileless Malware Hides in Plain Sight (Event Logs)

The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network

Read More: https://threatpost.com/attackers-use-event-logs-to-hide-fileless-malware/179484/