Researchers reported a new malware family that is using the Common Log File System (CLFS) to avoid being detected.
It was discovered by cybersecurity researchers at FireEye’s Mandiant Advanced Practices. The malware has been nicknamed PRIVATELOG by researchers, while its installer was dubbed STASHLOG.
The purpose behind this malware and which group of attackers are using it is still to be discovered.
PRIVATELOG uses the CLFS file log to conceal a second-stage payload in registry transaction files, allowing it to dodge the detection mechanism.
There are no current records that suggest that the malware has been used to attack any machine or launch any second-stage payloads. However, researchers believe that the malware may still be in the development stage or was created for a specific purpose.
Since CLFS is not commonly used, attackers can easily hide their log records by creating API functions to read and modify the log files.
“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files,” Mandiant researchers explained in a write-up published this week. “This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions.”
Both PRIVATELOG and STASHLOG have been designed to stay in the attacked device undetected.
FireEye’s researchers analyzed the PRIVATELOG sample and found that it is an un-obfuscated 64-bit DLL named prntvpt.dll. It uses DLL search order hijacking to load a malicious library when it is called by a “PrintNotify” service.
“Similarly to STASHLOG, PRIVATELOG starts by enumerating *.BLF files in the default user’s profile directory and uses the .BLF file with the oldest creation date timestamp,” the researchers noted, before using it to decrypt and store the second-stage payload.
FireEye’s Mandiant Advanced Practices team has alerted organizations to check their internal networks by applying YARA rules to scan for signs of malware.
