A new malicious campaign has been spotted taking advantage of Windows event logs to hide pieces of shellcode for the first time in the wild.
“It allows the last-stage ‘fileless’ Trojan to be hidden in plain sight in the file system,” said Kaspersky researcher Denis Legezo. mentioned in a technical article published this week.
The stealth infection process, not attributed to a known actor, is believed to have started in September 2021 when the intended targets were tricked into downloading compressed .RAR files containing Cobalt Strike and Silent break.
The adversary’s simulation software modules are then used as a launching pad to inject code into Windows system processes or trusted applications.
Also noteworthy is the use of anti-detection wraps as part of the tool set, suggesting an attempt by the operators to fly under the radar.
One of the key methods is to keep the encrypted shellcode containing the next-stage malware as 8KB chunks in the event logs, a technique never before seen in real-world attacks, which is then combined and executed. .
The final payload is a set of Trojans that use two different communication mechanisms: HTTP with RC4 encryption and unencrypted with named pipes – which allow him to execute arbitrary commands, download files from URL, escalate privileges and take screenshots.
Another indicator of the threat actor’s evasion tactics is the use of information gleaned during initial reconnaissance to develop successive steps in the attack chain, including the use of a remote server that mimics legitimate software used by the victim.
“The actor behind this campaign is quite capable,” Legezo said. “The code is quite unique, with no similarity to known malware.”
The disclosure comes as Sysdig researchers demonstrated a way to compromise read-only containers with fileless malware running in memory by exploiting a critical flaw in Redis servers.