Security researchers have discovered a malicious campaign that stored malware in Windows event logs, a technique that has never been publicly described for cyberattacks in the wild. It allows the attacker to plant fileless malware in the file system using various methods and modules designed to keep the action as undetectable as possible.
After a commercial product equipped with technology for behavior-based detection and anomaly control detected it as a danger on a customer’s PC, Kaspersky researchers retrieved a sample of the malware. The malware was discovered to be part of a “highly targeted” effort that used a significant number of bespoke and commercially accessible tools. Injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), which is carried out via a proprietary malware dropper, is one of the more intriguing aspects of the attack.
According to Kaspersky’s chief security researcher Denis Legezo, this approach was employed “for the first time ‘in the wild’ during the malicious campaign.” The dropper copies the legal OS error handling program WerFault.exe to ‘C:\Windows\Tasks,’ then delivers an encrypted binary resource to the same location ‘wer.dll’ (Windows Error Reporting), allowing DLL search order hijacking to load malicious code. DLL hijacking is a hacking method that uses inadequate checks in regular applications to load a malicious Dynamic Link Library (DLL) from an arbitrary route into memory.
According to Legezo, the dropper’s goal is to load on the disk for the side-loading process and search the event logs for certain data (category 0x4142 – ‘AB’ in ASCII). If no such record is discovered, it generates 8KB pieces of encrypted shellcode, which are then merged to create the code for the following stager. Soumyadeep Basu, a current intern with Mandiant’s red team, has produced and uploaded source code for injecting payloads into Windows event logs on GitHub, indicating that the new approach investigated by Kaspersky is likely to become more common.
Legezo says the overall campaign “looks impressive” based on the numerous approaches and modules employed in the campaign (pen-testing suites, bespoke anti-detection wrappers, and final stage trojans). “The actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,” he said, implying an APT-level adversary. Commercial penetration testing frameworks Cobalt Strike and NetSPI were among the tools employed in the assault (the former SilentBreak).
While some of the attack’s components are thought to be unique, the researcher speculates that they may be part of the NetSPI platform, for which a commercial license was unavailable at the time of testing. For example, two trojans named ThrowbackDLL.dll and SlingshotDLL.dll may be SilentBreak penetration testing framework tools with identical names.
The first step of the attack was traced back to September 2021, when the victim was duped into downloading a RAR package from file.io, a file sharing service. The malicious attacker then distributed the Cobalt Strike module, signed with a Fast Invest ApS certificate. The certificate was used to sign 15 files, none of which were successful.
According to the researcher, the ultimate goal of targeted malware with such final stager capabilities is to gather essential data from the victims in most situations. While investigating it, Kaspersky discovered no similarities between the attack and previous campaigns linked to a known threat actor. Until they can trace the new behavior to a known adversary, the researchers label it SilentBreak, after the most commonly used tool in the attack.