Researchers at Kaspersky have uncovered a new-ish attack mechanism that’s very interesting to those of us in the DFIR world. This hasn’t been discussed a lot, and even though the referenced article is extensive, it’s still a bit unclear as to how often this is being used in the wild.
Many of the exploitation activities are common (Cobalt Strike, Remote Access Trojans, Anti-Malware Scan Interface manipulation, etc.) but the really interesting one is that these attackers are utilizing shellcode that’s stashed in Windows Event Logs. Another interesting evasion technique is the removal of the MZ header for executables, which for DFIR folks is a well known indicator that the file you’re looking at is some sort of executable even when it’s not using the .exe file extension.
The article is extensive and fairly technical, if you’re a DFIR person or just interested in the space, it’s a great read.
We’ll be keeping an eye on these techniques to see how attackers use them for shiny new attacks.
Source: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
