Kaspersky Warns of Fileless Malware Hidden in Windows Event Logs

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

Adding payloads to Windows event logs​

Researchers at Kaspersky collected a sample of the malware after being a company product equipped with technology for behavior-based detection and anomaly control identified it as a threat on a customer's computer.

The investigation revealed that the malware was part of a “very targeted” campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.

Denis Legezo, lead security researcher at Kaspersky, says that this method has been used “for the first time ‘in the wild’ during the malicious campaign.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top