Security researchers have found that hackers have found a way to infect Windows event logs with malware that doesn’t contain files.
On May 4, Kaspersky researchers revealed a “new cache of fileless malware”. During a “highly targeted” campaign, hackers used Windows event logs to inject shellcode payloads and work stealthily.
This new approach is quite complex and yet it could still become popular, as it appears to be very effective for malicious DLL injection and evasion of detection. Kaspersky researchers discovered that the attackers used various tools, including custom and commercial solutions such as Cobalt Strike and a new set of tools used by hackers.
The researchers said it was clearly the work of an advanced threat actor but they could not attribute the campaign to a known APT group. The campaign is currently called “SilentBreak”, after the name of the toolkit used by hackers.
Read also: How Cobalt Strike became a favorite tool of hackers
SilentBreak Attack Techniques
The researchers were amazed at the “diversity of campaign techniques and units”, so they made a classification to analyze the units one by one:
All these stages were possible because the hackers managed to trick the target into downloading an infected .rar file on file.io, a legitimate website. Then, they were able to deploy a digitally signed Cobalt Strike module to hack sensitive data.
How did attackers inject code into the Windows registry
The researchers detected malicious payloads in the Windows event logs of the Key Management Services (KMS):
To achieve the first phase of their campaign, the hackers used a custom malware dropper that copies the Windows Error Reporting (WerFault.exe) file to C:\Windows\Tasks, then drops the malicious binary into the same directory:
This technique is called DLL hijacking and it consists of replacing the requested DLL file with a malicious file and placing it in the same directory as the target application. The system uses DLL (Dynamic Link Library) files to store some resources that the application needs and it will load automatically.
The new WerFault.exe is then set to auto-run, which creates a “Windows Problem Reporting Value in the Windows Software\Microsoft\Windows\CurrentVersion\Run registry branch”.
Then the dropper searches for records with a specific class (0x4142) and with KMS as the source. If no code is found, the shellcode encoded in 8KB fragments is written to the event logs.
Kaspersky researchers explored the code and discovered that it acts as a proxy to intercept all calls to the original library (the legitimate library) and prepare the next stages, indicating an iterative procedure.
Hackers focus on evasion
It is clear that the highest priority of this operation was to remain undetected. To achieve this, the attackers used various anti-detection techniques such as:
- A legitimate digital certificate for signing malicious files
- Automatically run copies of the legitimate executable (Werfault.exe)
- Anti-detection wrappers compiled in different languages such as Go or C++
- Ambiguous function names in code
- Malicious instructions are broken into pieces of shellcode in the Windows event logs
Malware analysis by Kaspersky is very cool and detailed. The researchers had to write custom scripts to decode all the hidden regions.
According to the research, the most unusual and innovative aspect of the SilentBreak campaign is “the encrypted shellcode is broken into 8 KB blocks and saved in the binary portion of the event log.”
During the second stage, hackers used custom decoder launchers for Cobalt Strike to decrypt shellcode, map it to memory and eventually execute malicious instructions and spread malware.
Also Read: How Hackers Evade Detection
The campaign relied on Trojans
The attackers used two types of Trojans:
- HTTP based Trojan with C2 (Command and Control)
- Trojan with pipe names
The shellcode encoded in the event logs contained very specific arguments such as the address of the next stage of the Trojan or the hashes of function names used within the Trojan.
There were also unused strings such as “dev” and the constant “4.” The researchers believe that the trigger may support other modules that require additional parameters, which could explain such artifacts.
The HTTP Trojan appears to generate information containing fingerprints such as computer name, local IP addresses, OS version, architecture (x86 or x64), and MachineGUID values.
This information is then used to send targeted instructions over the rogue communication channel (C2).
According to the researchers, the so-called tube trojan has a “more in-depth command system,” including privilege escalation, taking screenshots, or measuring inactivity time.
How to protect against event log attacks
This high degree of preparation and time spent writing custom modules and decoders point to the operation of an advanced hacking group that remains unidentified at the time of writing.
There isn’t much you can do to anticipate such high-level attacks, and it’s unlikely that your antivirus or built-in firewalls will catch them. However, you can take concrete measures such as using EDR and other endpoint security solutions to increase your chances of detecting unusual and suspicious activities, especially if these solutions have a behavioral component.
A zero-trust architecture may also help contain infection, as here, for example, hackers had a strategy to spread their malware and repeat the infection cycle.
Security and knowledge base vendors such as MITER ATT & CK are likely to add this new approach to their catalogs in the coming months. In any case, this would be a good idea to help security teams map the technology for threat intelligence purposes.
read the following: