A new technique has been observed in the wild for delivering fileless malware on targeted devices and evading detection. According to researchers at Kaspersky, the attack involves injecting shellcode into Windows event logs, which sees the attacker hiding in plain sight and delivering fileless Trojans. The encrypted shellcode that includes the payload is embedded into Windows event logs in 8KB blocks and is saved in the binary part of the event logs
The researchers say the campaign was detected in February, and the earliest phase of the campaign occurred in September 2021. The threat actor is new to Kaspersky and has significant capabilities. In addition to hiding shellcode in event logs, the threat actor uses several other techniques and commercial penetration testing tools such as Cobalt Strike and NetSPI.
In the attack, the threat actor sends victims to a legitimate website and tricks them into downloading a compressed .RAR file that includes Cobalt Strike and NetSPI with multiple anti-detection wrappers, including a Go decryptor that keeps the Cobalt Strike module encoded several times and AES256 CBC encrypted blob. A library launcher is compiled with GCC under MinGW, and an AES decryptor is used that is compiled with a Visual Studio compiler. The last stage of the attack involves the delivery of an HTTP-based or a pipes-based Trojan.
The threat actor is able to inject malicious code into any process using the Trojans, including Windows system processes or trusted applications such as DLP. The malware used in the campaign is fileless, which means it operates in the memory and downloads no files to the hard drive, making the malware difficult to detect using traditional signature-based security tools. The threat actor does not need to install any tools, as Windows tools such as PowerShell and Windows Management Instrumentation (WMI) are used.
“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter),” explained Kaspersky researcher, Denis Legezo.
A launcher is dropped into the Windows Task Directory, and a separate thread combines the 8KB chunks into complete shellcode, which is then executed. In the attack, dropper modules patch native Windows API functions to make the attack much stealthier.
The attacker is using custom Remote Access Trojans (RATs) that have not previously been seen, which consist of a mix of complex custom code and parts of publicly available software. The code is unique and is not related to any other malware, so it has not been possible at this stage to link the threat actor to any other attacks.