A new secret stash for fileless malware
Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as the event logging exist in any installation of the most widely used operating system on the globe.
These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.
Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging (like EtwEventWriteFull, etc.).
In our presentation, we will share the results of our in-depth research into the infection chain, containing:
- commercial pentesting frameworks
- a number of anti-detection decryptor-launchers, written in different languages
- last stage fully-fledged trojans for C2 communications and lateral movement
Denis Legezo
Working as Lead Security Researcher with Global Research and Analysis Team (GReAT). At Kaspersky since 2014. Specialized on targeted attacks research, reverse engineering and malware analysis. Regularly providing trainings on these matters. Got the degree at Cybernetics and Applied Math facility of Moscow State University in 2002. Then started the career as a programmer in different public and commercial companies. Presented the researches at RSA, HITB, SAS, VirusBulletin, Cppcon.