Undocumented publicly for attacks in the wild, security researchers have discovered a malicious operation that leveraged Windows event logs to contain malware.

The assault’s threat actor was able to use the technology to introduce fileless malware into the file system as part of a covert attack using a variety of techniques and modules.

Payloads are added to Windows event logs.
After being recognised as a threat on a customer’s computer by a commercial product equipped with technologies for behavior-based detection and anomaly control, researchers at Kaspersky collected a sample of the virus.

According to the study, the malware utilised a sizable number of both custom-made and commercially available tools as part of a “highly targeted” effort.
One of the most intriguing aspects of the attack is the bespoke malware dropper’s injection of shellcode payloads into Windows event logs for the Key Management Services (KMS).

According to Kaspersky’s lead security researcher Denis Legezo, the malicious campaign marked the first time this technique had been deployed “in the field.”

At order to load malicious code via DLL search order hijacking, the dropper copies the genuine OS error handling programme WerFault.exe to “C:WindowsTasks” before dropping an encrypted binary resource to the “wer.dll” (Windows Error Reporting) in the same location.

A hacking method called DLL hijacking uses weak security checks in normal programmes to load a malicious Dynamic Link Library (DLL) into memory from any location.

According to Legezo, the dropper’s functions include looking for specific entries in the event logs (category 0x4142, or ‘AB’ in ASCII), as well as putting data onto the disc for the side-loading procedure. In the absence of such a record, it generates 8KB chunks of encrypted shellcode that are then merged to create the code for the subsequent stager.

Given that the source code for injecting payloads into Windows event logs has been publicly available for a short while, the new technique examined by Kaspersky is probably on its way to becoming more well-known.

Advanced technical actor
Legezo states that the overall campaign “looks remarkable” based on the numerous methods and modules (pen-testing suites, personalised anti-detection wrappers, and final stage trojans) utilised in it.

He claimed to an APT-level adversary, saying to BleepingComputer that “the actor behind the campaign is pretty adept by itself, or at least has a good set of quite sophisticated commercial tools.”

The commercial penetration testing frameworks Cobalt Strike and NetSPI were among the tools utilised in the attack (the former SilentBreak).

Although the researcher believes that some of the attack’s modules are original, they may really be a part of the NetSPI platform, which testing required a paid licence for.

For instance, two trojans with the names ThrowbackDLL.dll and SlingshotDLL.dll could represent tools that belong to the SilentBreak penetration testing framework and are known to use those names.

According to the research, the attack started in September 2021 when the victim fell for a scam to download a RAR archive from the file-sharing website file.io.

The Cobalt Strike module, which was signed with a certificate from the business Fast Invest ApS, was subsequently distributed by the threat actor. 15 files were signed with the certificate, but none of them were genuine.

According to the researcher, the ultimate goal of targeted malware with such last stager functionality is typically to collect some valuable data from the victims.

When analysing the attack, Kaspersky did not discover any resemblances to earlier efforts linked to a recognised threat actor.

The researchers label the new activity SilentBreak, after the name of the tool most frequently employed in the attack, until a connection with a known opponent is made.