Kaspersky detects malware without files inside the Windows event logs

The cybersecurity firm says this is the first time they’ve seen this type of malware masking method.

Photo: weerapat1003 / Adobe Stock

An unprecedented discovery by Kaspersky could have severe consequences for those who use Windows operating systems. The cybersecurity firm published an article on May 4 detailing that – for the first time ever – hackers put shellcode in Windows event logs, disguising Trojans as fileless malware.

The malware campaign used a wide range of technologies, such as commercial penetration testing kits and anti-detection wrappers, which included those compiled using the Go programming language as well as many last-stage Trojans.

See: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Hacking groups used two types of last-stage Trojans, which increased access to the system. This was delivered through two different methods, via HTTP network connections and through the involvement of named pipes.

How hackers sent a Trojan to the event logs

According to Kaspersky, the earliest instance of this malware hiding occurred in September 2021. The attackers managed to get a target to download a .rar file through an original website, which then decompressed the .dll Trojan files into the intended victim’s hard drive.

“We saw a new targeted malware technology that caught our attention,” said Dennis Legzeau, chief security researcher at Kaspersky. For the attack, the actor kept an encrypted shellcode from the Windows event logs and then executed it. This is an approach we have not seen before and highlights the importance of staying aware of threats that might otherwise surprise you. We think it’s useful to add event logs technology to MITER Matrix’s Defense Evasion and Hide Artifacts section. And using many commercial pentesting suites isn’t something you see every day.”

The HTTP network method saw that the malicious file targets Windows system files, and hides a portion of the malware by creating a duplicate of an existing file with “1.1” added to the string, which Kaspersky assumes is the malicious version of the .

“Before HTTP connections, the module sends blank (but still encrypted) data in an ICMP packet to check the connection, using a 32-bit cryptographic long RC4 key,” said Legizzo. “Like any other strings, this key is encrypted using the algorithm based on Throwback XOR. If the ping of the control server is successful with port 80 available, the above-mentioned fingerprint data will be sent to it. In response, C2 shares the encrypted command of the main Trojan loop.”

The other method is known as the Trojan Pipes-Based Named-Based Trojan, which locates the Microsoft Help Data Services Module library within Windows OS files and then picks up an existing file to overwrite it with a malware version that can execute a series of commands. Once the malicious version is run, the victim’s device is scraped to get information about the build and version of Windows.

How to avoid this type of attack

Kaspersky offers the following tips for Windows users hoping to avoid this type of malware:

  • Use a reliable endpoint security solution.
  • Install anti-APT and EDR solutions.
  • Provide your security team with the latest threat information and training.
  • Incorporate endpoint protection and use dedicated services that can help protect against high-level attacks.

While it is getting more and more difficult to discover the methods used by hackers, it is as important as ever to ensure the security of devices. The responsibility to protect the devices rests with the IT team just as it is with the user of the Windows device. By utilizing endpoint security and a zero-trust architecture, the next major malware attack can be stopped in its tracks, preventing the loss of sensitive data and personal information.

Leave a Comment

Your email address will not be published.