This New Malware Family Using CLFS Log Files to Avoid Detection

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,609
71,846
Cybersecurity researchers have disclosed details about a new malware family that relies on the Common Log File System (CLFS) to hide a second-stage payload in registry transaction files in an attempt to evade detection mechanisms.

FireEye's Mandiant Advanced Practices team, which made the discovery, dubbed the malware PRIVATELOG, and its installer, STASHLOG. Specifics about the identities of the threat actor or their motives remain unclear.

Although the malware is yet to be detected in real-world attacks aimed at customer environments or be spotted launching any second-stage payloads, Mandiant suspects that PRIVATELOG could still be in development, the work of a researcher, or deployed as part of a highly targeted activity.

CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs.

"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant researchers explained in a write-up published this week. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."
 
Top