A new secret stash for fileless malware

English預錄演講即時問答惡意程式

Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as the event logging exist in any installation of the most widely used operating system on the globe.

These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.

Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging (like EtwEventWriteFull, etc.).

In our presentation, we will share the results of our in-depth research into the infection chain, containing:

  • commercial pentesting frameworks
  • a number of anti-detection decryptor-launchers, written in different languages
  • last stage fully-fledged trojans for C2 communications and lateral movement
Denis Legezo

Denis Legezo

Working as Lead Security Researcher with Global Research and Analysis Team (GReAT). At Kaspersky since 2014. Specialized on targeted attacks research, reverse engineering and malware analysis. Regularly providing trainings on these matters. Got the degree at Cybernetics and Applied Math facility of Moscow State University in 2002. Then started the career as a programmer in different public and commercial companies. Presented the researches at RSA, HITB, SAS, VirusBulletin, Cppcon.

所有非英語議程都將提供即時同步口譯翻英

議程表

Use event local timezone
TimeZone

00:30

  • 報到時間

01:20

  • 開幕式 - 貴賓致詞與活動介紹

02:10

03:00

  • Break

03:15

04:05

  • Lunch

05:00

05:45

  • Break

06:00

06:45

  • Tea Time

07:00

07:25

08:10

  • Break

08:25

09:10

  • Closing

09:25