Kaspersky uncovers fileless malware inside Windows event logs

The cybersecurity company says this is the first time they have seen this type of malware hiding method.

An unprecedented discovery made by Kaspersky could have serious consequences for those using Windows operating systems. The cybersecurity company published an article on May 4 detailing that — for the first time ever — hackers have placed shellcode into Windows event logs, hiding Trojans as fileless malware.

The malware campaign used a wide array of techniques, such as commercial penetration testing suites and anti-detection wrappers, which included those compiled with the programming language Go as well as several last stage Trojans.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The hacking groups employed two types of Trojans for the last stage, gaining further access to the system. This was delivered through two different methods, both via HTTP network communications and by engaging the named pipes.

How hackers dispatched the Trojan into event logs

The earliest instance of this malware hiding taking place occurred in September 2021, according to Kaspersky. The attackers were able to get a target to download an .rar file through an authentic website, which then unpacked .dll Trojan files into the intended victim’s hard drive.

“We witnessed a new targeted malware technique that grabbed our attention,” said Denis Legezo, lead security researcher at Kaspersky. “For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it’s worth adding the event logs technique to MITRE Matrix’s Defense Evasion and Hide Artifacts section. The usage of several commercial pentesting suites is also not the kind of thing you see every day.”

The HTTP network method saw the malicious file target the Windows system files, hiding a piece of malware by creating a duplicate of an existing file with “1.1” added to the the string, which is assumed by Kaspersky to be the malicious version of a file.

“Before HTTP communications, the module sends empty (but still encrypted) data in an ICMP packet to check connection, using a hardcoded 32-byte long RC4 key,” Legezo said. “Like any other strings, this key is encrypted with the Throwback XOR-based algorithm. If the ping of a control server with port 80 available is successful, the aforementioned fingerprint data is sent to it. In reply, the C2 shares the encrypted command for the Trojan’s main loop.”

The other method is known as the Named-Based Pipes Trojan, which locates the Microsoft Help Data Services Module library within Windows OS files and then grabs an existing file to overwrite it with a malware version that can execute a string of commands. Once the malicious version is run, the victim’s device is scraped for architecture and Windows version information.

How to avoid this type of attack

Kaspersky offers the following tips to Windows users hoping to avoid this type of malware:

• Use a reliable endpoint security solution.
• Install anti-APT and EDR solutions.
• Provide your security team with the latest threat intelligence and training.
• Integrate endpoint protection and employ dedicated services that can help protect against high-profile attacks.

While the methods used by hackers continue to become harder to detect, it’s as important as ever to ensure devices are secure. The responsibility for protecting devices falls just as much onto the shoulders of the IT team as it does the user of a Windows device. By employing endpoint security and zero-trust architecture, the next big malware attack can be stopped in its tracks, preventing the loss of sensitive data and personal information.