"New Malware Uses Novel Fileless Technique to Evade Detection"

Researchers on FireEye's Mandiant advanced practices team have discovered a new memory-resident malware family named PRIVATELOG and its installer called STASHLOG. According to the researchers, PRIVATELOG and STASHLOG apply a unique and stealthy approach to evade threat detection tools. The researchers say they have not observed the malware on any customer networks or recovered any second-stage payloads that the malware may have launched. However, the malware is still noteworthy as it uses a novel technique to try remaining undetected in memory on an infected system. Fileless malware is typically launched in memory, unlike malware that writes payloads to disk and therefore is more easily detectable by antivirus tools. Blaine Stancill, a senior reverse engineer with the Mandiant FLARE team, explains that these fileless techniques leverage Windows storage containers such as the Windows registry to house the payload. The storage containers can be accessed through various Windows Application Programming Interfaces (APIs), thus making them easy for threat actors to use but difficult for defenders to analyze because they usually use undocumented structures. The Windows registry, Windows Management Instrumentation (WMI), and the Common Information Model (CIM) repository are commonly used for fileless malware storage. STASHLOG and PRIVATELOG are different as they use Common Log File System (CLFS) containers to store malicious payloads. Windows uses CLFS containers to temporarily store data for registry transactions and other high-volume operations. STASHLOG and PRIVATELOG are said to be the first known malware samples to use CLFS for storing malicious payloads. The new tactic is significant in that it expands on the various techniques used for fileless malware storage. It is essential for the security community to continue exploring fileless malware as the tools used for such attacks have almost become a standard part of today's attacker toolkits. As antivirus and malware detection tools get better at detecting malware written to disk, threat actors are increasingly turning to memory-resident tools for performing malicious activities. This article continues to discuss the use of CLFS containers by new malware to store malicious payloads, the significance of this new tactic, and the rise in memory-resident malware. 

Dark Reading reports "New Malware Uses Novel Fileless Technique to Evade Detection"