Security researchers have discovered new malware that uses the Windows event log to store malicious code. The researchers note that this is the first time this technology has been observed in the wild as part of a malware campaign.
The Trojan used to attack the system is hidden, as it is not associated with a specific file on the system. Instead, it is implanted by the attacker in the Windows event log for future executions.
According to Kaspersky, the perpetrator has not been identified or linked to any active malware clusters.
Kaspersky researchers describe how the malicious actor used various evasive techniques and techniques to avoid detection on the computer systems that had been attacked. Dropper modules were used in the attack to “debug native Windows API functionality” associated with event tracking and anti-malware scanning interfaces.
The sophisticated attack began in September 2021, when Kaspersky observed the first stage of the attack. The attackers used the Cobalt Strike framework in the attack, but the first step started at the user level. The target downloaded the RAR archive file from the file hosting the file.io website and then ran it. Various attack scenarios and methods were used for other targets according to Kaspersky, but it appears that all attacks involved initial re-targets and preparations for additional attacks.
The described method gave attackers the ability to inject code into processes, and this was used to inject additional modules into Windows and trusted applications. The Cobalt Strike wasn’t the only set of tools the attackers used. Kaspersky has identified traces of the SilentBreak framework and several Trojans, ThrowbackDLL.dll and SlingshotDLL.dll, are named after the SilentBreak framework’s Throwback and Slingshot tools.
According to the researchers, the droppers file name, sb.dll, can also be a framework reference. Some tools appear to be custom made, and some function names have been obfuscated to reduce the possibility of detection and recognition.
One of the attacks analyzed started by injecting code into Windows processes after the initial infection occurred. Dropper removed traces of pre-attack stages from the system as part of the detection avoidance mechanisms implemented by the attackers.
Then copy the operating system’s legitimate error handler, WerFault.exe to C:\Windows\Tasks and plant an encrypted binary resource called wer.dll in the same directory to hijack the DLL search order. DLL search order hijacking, often referred to as DLL preloading, is a common form of attack that attempts to prioritize a malicious DLL file over a legitimate one.
Applications need to import functions from library files to use them. Importing is either implicit or explicit, and since Windows XP a list of priority locations is used to select the first candidate DLL file. The first priority in the search order is the executable application folder; It is followed by the System Guide, the 16-bit System Guide, the Windows Guide and many others.
All the attacker needs to achieve is to place the malicious DLL in a location that has a higher priority than the legitimate DLL.
Then he added the newly created WerFault.exe to the autorun of the operating system by adding it to Software\Microsoft\Windows\CurrentVersion\Run to make the access persistent.
The wer.dll dropper is harmless on its own, as it requires shellcode in the Windows event log to execute.
Implant an attack code in the Windows event log
One of the unique aspects of the malware campaign was the use of the Windows event log to store the payload. The main advantage of this is that the file-free approach makes it more difficult to detect the payload.
Dropper tries to load code into the Windows event log; If it doesn’t exist, it will be written as 8KB fragments using the ReportEvent() Windwos API function. The data, if any, is loaded, then combined by a separate threat, and then run on the target system.
Launcher “transfers control to the first byte of” shellcode according to Kaspersky research. It sends data that is used to perform the next stage of the attack:
- The address of the following Trojan horse used in the attack has been revealed.
- A standard ROR13 hash for an exported function.
- Addresses of two strings, which become “arguments of the exported function”.
Here again, dribbling techniques were used to reduce the visibility of the attack.
The last stage of the Trojan’s communications with a C&C (command and control) server using either HTTP with RC4 encryption or an unencrypted connection to named pipes. It sends an empty but initially encrypted string to test the connection.
The target system is fingerprinted by the late-stage Trojan, gathering information such as the computer name, local IP address, architecture, OS version, MachineGUID values located under SOFTWARE\Microsoft\Cryptography, and whether the process contains SeDebugPrivilege.
The command and control server replies with its own code, which specifies the next action the Trojan horse should take. Among the options are executing custom commands, downloading files from a specified URL and saving them to a specified path on the system, getting a list of all processes and information, or injecting and running shellcode into the address space of the target process.
The pipe-dependent Trojan is located in C:\Windows\apds.dll, which emulates the legitimate Microsoft Help Data Services Module library of the same name, located in C:\Windows\System32.
Anti-detection techniques used by the attackers
The attackers used a wide range of anti-detection techniques to fly under the radar:
- Use many different compilers-
- Whitelist launchers.
- Use of digital certificates. 15 files were signed with “Fast Invest” certificates.
- Debug registry exports from ntdll.dll.
- Shellcode put in the Windows event log.
- C2 web domain simulation.
Kaspersky considers the use of the Windows event log for payload storage as the “most innovative” part of a malware campaign. The entire campaign is complex, using at least two commercial frameworks and several “types of remote control tools (RAT) and anti-detection casings” in the last phase.
Additional information about the attack is available on Securelist.