SilentBreak APT activity uses Windows event logs to store malware

Hackers now hide malware in Windows event logs

Security researchers have observed a malicious campaign that uses Windows event logs to store malware, a technology not previously publicly documented for launching attacks in the wild.

This method enabled the attacker to implant fileless malware into the file system in an attack full of techniques and modules designed to keep the activity as hidden as possible.

Add payloads to Windows event logs

Kaspersky researchers collected a sample of the malware after it became a company product with behavior-based detection and anomaly control technology, and identified it as a threat to a customer’s computer.

The investigation revealed that the malware was part of a “highly targeted” campaign and relied on a wide range of tools, both customized and commercially available.
One of the more interesting parts of the attack is the injection of shellcode payloads into the Windows event logs of the Key Management Services (KMS), an action that is completed by a dedicated malware dropper.

This method was used “for the first time” in the wild “during the malicious campaign,” says Denis Legzeau, Kaspersky’s chief security researcher.

Dropper copies legitimate OS error processing WerFault.exe to ‘C: \ Windows \ Tasks“Then it drops an encoded binary resource in”wer.dll(Windows Error Reporting) in the same location, in order to hijack the DLL search order to load malicious code.

DLL hijacking is a hacking technique that exploits legitimate programs that do not have enough checks to load a malicious DLL into memory from a random path.

Legezo says that the purpose of the dropper is to load onto disk for the sideload process and search for certain records in the event logs (class 0x4142 – “AB” in ASCII. If no such record is found, it writes 8K bits of encoded shellcode, which is subsequently combined to form the next experimenter code.

“Down wer.dll A bootloader and it won’t do any harm without hiding the shellcode in the Windows event logs” – Dennis Legzeau, Principal Security Researcher at Kaspersky

It’s possible that the new technology that Kaspersky analyzed is on its way to becoming more popular as the source code for injecting payloads into the Windows event logs became publicly available for a brief period.

Technically advanced actor

Based on the different technologies and modules (pen-test kits, custom anti-detection wrappers, and end-stage Trojans) used in the campaign, Legezou notes that the entire campaign “looks great.”

He told BleepingComputer that “the actor behind the campaign is fairly skilled, or at least has a good set of deep trading tools,” suggesting an APT-level opponent.

Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI (formerly SilentBreak).

While some of the modules in the attack are believed to be customized, the researcher notes that they may be part of the NetSPI platform, for which a commercial license was not available for testing.

For example, two Trojans named ThrowbackDLL.dll and SlingshotDLL.dll might be tools with the same name that are known to be part of the SilentBreak penetration testing framework.

“We started the search from the last device stored in memory, and then, using telemetry, we were able to reconstruct many infection chains” – Denis Legigau

The investigation traced the first phase of the attack to September 2021 when the victim was tricked into downloading a RAR archive from file-sharing service

The threat representative then deployed the Cobalt Strike unit, which was signed with a certificate from a company called Fast Invest ApS. The certificate was used to sign 15 files and none of them were legitimate.

In most cases, the researcher told BleepingComputer, the ultimate purpose of the targeted malware with this last function is to get some valuable data from the victims.

While studying the attack, Kaspersky found no similarities with previous campaigns associated with a known threat.

Until contact is made with a known adversary, researchers track the new activity with the name SilentBreak, after the name of the tool most used in the attack.

Leave a Comment

Your email address will not be published.