New Fileless Malware Hides Shellcode in Windows Event Logs
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that a new malware campaign that uses a technique of hiding shellcode into Windows event logs and has not been previously documented, has been identified.
The remote unauthenticated threat actor, by using this technique, could plant fileless malware in the file system, launching an attack designed to keep the activity as stealthy as possible.
This stealthy infection process has been observed in the wild and it is believed that has commenced in September 2021, when the intended targets were lured into downloading compressed .RAR files containing the commercial penetration testing frameworks “Cobalt Strike” and “NetSPI”.
The adversary simulation software modules are then used as a launchpad to inject code into Windows system processes or trusted applications. Also notable is the use of anti-detection wrappers as part of the toolset, suggesting an attempt on the part of the operators to fly under the radar.
One of the most interesting parts of the attack is the injection of shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.
The final payload is a set of trojans that employ two different communication mechanisms (HTTP with RC4 encryption and unencrypted with named pipes) that could allow them to run arbitrary commands, download files from a URL, escalate privileges, and take screenshots.
This new approach is highly sophisticated and it is on its way of becoming very popular, as it seems quite efficient for injecting malicious DLL and evading detection and also because source code for injecting payloads into Windows event logs has been available in the public space for a brief period.
Indicators of Compromise:
File Hashes (malicious documents, trojans, emails, decoys)
Logs code launcher
Named pipes Trojan and similar
Anti-detection wrappers/decryptors/launchers, not malicious by themselves
C:WindowsTasksWerFault.exe copy of the legit one to sideload the malicious .dll
Named pipe MonolithPipe
Event logs with category 0x4142 in Key Management Service source. Events ID auto increments starting from 1423.
You should configure your EDR and any other security solution(s) based on the provided IOCs to detect and block this malicious behaviour.
You should understand the importance of security updates including new IOCs on your security controls and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring.