Project Hyphae
Search

Malware in Event Logs?

Share This Post

Researchers at Kaspersky have uncovered a new-ish attack mechanism that’s very interesting to those of us in the DFIR world. This hasn’t been discussed a lot, and even though the referenced article is extensive, it’s still a bit unclear as to how often this is being used in the wild.

Many of the exploitation activities are common (Cobalt Strike, Remote Access Trojans, Anti-Malware Scan Interface manipulation, etc.) but the really interesting one is that these attackers are utilizing shellcode that’s stashed in Windows Event Logs. Another interesting evasion technique is the removal of the MZ header for executables, which for DFIR folks is a well known indicator that the file you’re looking at is some sort of executable even when it’s not using the .exe file extension.

The article is extensive and fairly technical, if you’re a DFIR person or just interested in the space, it’s a great read.

We’ll be keeping an eye on these techniques to see how attackers use them for shiny new attacks.

Source: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.