At least one group of hackers has learned a new trick you need to be aware of. Security researchers at Kapersky Lab have discovered a malicious campaign-in-progress that is using event logs to store malware. That is a technique that has not been seen or documented until now.
This new methodology is designed for maximum stealth, allowing the threat actor to plant fileless malware in the target device’s file system.
The dropper used in this case makes a copy of the legitimate OS error handling file called “WerFault.exe.” This is placed in C:WindowsTasks, and then it drops an encrypted binary resource to the wer.dll in the same location, which is used for Windows Error Reporting.
DLL hijacking is something that has been seen before. It is a move that allows hackers to exploit a legitimate program that isn’t designed with many checks, which allows malicious code to be loaded into memory.
Denis Legezo is the lead security researcher at Kaspersky. Legezo notes that the loader itself is harmless, but the hackers have hidden shellcodes inside the Windows event logs, and that’s what allows it all to function.
Legezo’s team traced the attack back to its origins in September of 2021 when the victim was tricked into downloading a RAR file from the file sharing service File.io.
It’s a scary piece of work. Based on an analysis of the code, it seems clear that the threat actor behind this new technique is highly advanced.
The fear is that the details surrounding this new method will be widely shared on the Dark Web. This would allow other, less technically proficient threat actors to copy it. Given how difficult to detect the method is, it’s likely to become incredibly popular very quickly.
All that to say, if you’re an IT Security Professional, your life is probably about to get a whole lot harder unfortunately.