Wednesday06 July 2022

New Advanced Fileless Malware Found Using Windows Event Logs

Reading time is around minutes.

When most people think of malware, they think of binaries that are downloaded to a drive and executed. However, that is only part of the malware world. The other side does not actually download the malicious binary directly to the drive and often injects it directly into memory though the use of scripts. The name fileless is a bit of a misnomer as there are always files to be found in different stages of the attack, it is more to the point that much of the malicious work is doe through injection of code into legitimate processes without the need to write much of it to disk.

The new campaign discovered by researchers at Kaspersky, does have a “fileless” component, but it actually starts off with coercing a target into downloading the link to a .rar file. The rar file has been observed to contain at least parts of Silentbreak and Cobalt Strike. These two items are already impressive tools kits on their own and allow an attacker to perform a lot of different activities on the infected host. These tools are hidden inside anti-detection wrappers that the attacker seems to rotate through. All of them have similar techniques though. Researchers observed that during the initial phase the launcher executes and “patches” some functions in memory related to registering and writing to the Windows event log.

For communication there appear to be two primary methods, one is RC4 encrypted over HTTP and the other is via named pipes. The latter might be used specifically for lateral movement and internal communication inside a compromised domain. It is an unusual combination of communication methods, but a lot of this malware is unusual.

The next step is the dropper malware. Here we see another unusual attack path. The attackers inject code into the explorer.exe process and use that access to remove earlier stages of the infection as well as to copy the legitimate werfault process to a different directory along with a malicious dll. From there they set their version of Werfault to autorun in the Windows registry. The dll in question (wer.dll) is a loader and searches through the event logs for a specific error (written earlier). If these errors are not found, the loader then writes 8kb chunks of shellcode to the event logs with event IDs starting at 1423.

The wer.dll along with another tool to combine the shellcode into the same memory used by the copy of WerFault.exe. the completed shellcode contains the next stages of the infection. The use of this often chatty process is very sophisticated as it is typically safe listed even in advanced EDRs due to how often alerts are seen one it for memory dumps, LSASS access etc.

The remaining stages of the infection are a bit more usual, but as would be expected contain different remote access trojans and other tools to allow the attacker to execute code on the targeted system. The commands between the two types of observed communication methods appear to be modular and can be mixed and matched. It is also possible that the malware developer is still evolving their malware. The multiple techniques, different modules and even communication methods are not unusual, the use of the Windows event log to hide the shellcode is and shows that the attackers are quite sophisticated.

The researchers that discovered this campaign have not assigned it to any known threat group and say that the items observed do not line up with any known malware previously discovered. The note that the campaign appears to have started back in September 2021 and was only discovered in February. They are still watching the campaign and if they are able to tie it to a known group, they will update their findings.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.