"Attackers Use Event Logs to Hide Fileless Malware"

A never-before-seen technique has been discovered in a malicious campaign that plants fileless malware on target machines. The technique involves the injection of shellcode directly into Windows event logs, which allows malicious actors to use the event logs to cover late-stage Trojans. The unidentified adversaries behind the campaign use a set of injection tools and anti-detection techniques to deliver the malware payload. According to researchers, the attackers use at least two commercial products along with several types of last-stage Remote Access Trojan (RAT) and anti-detection wrappers. The first attack stage involves driving a target to a legitimate website and tricking them into downloading a compressed RAR file boobytrapped with the network penetration testing tools, Cobalt Strike and SilentBreak. Both of these tools are popular among hackers seeking to deliver shellcode to target machines. The attackers use Cobalt Strike and SilentBreak to inject code into any process. They can inject additional modules into Windows system processes or trusted applications such as DLP. The researchers say this layer of the infection chain decrypts, maps into memory, and executes the code. Injecting malware into a system's memory is classified as fileless. Fileless malware attacks infect systems in a way that does not leave behind artifacts on the local hard drive. The absence of traditional footprints adds an extra layer of difficulty in performing a forensic analysis that would help security teams investigate a breach and prevent future attacks. The fileless malware technique is not new, but the embedding of shellcode containing the malicious payload into Windows event logs has never been seen, according to the researchers. The code is divided into 8 KB blocks and saved in the event logs' binary part to avoid detection. Besides the technique of injecting shellcode into Windows event logs, the other unique component of the campaign is the code itself. Although the droppers are commercially available products, the anti-detection wrappers and RATs are custom-made. This article continues to discuss the new malicious campaign discovered to be using Windows event logs to hide fileless malware and the concept of fileless malware attacks. 

Threatpost reports "Attackers Use Event Logs to Hide Fileless Malware"