Hackers Are Now Hiding Malware In Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. BleepingComputer reports: The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible. The dropper copies the legitimate OS error handling file and then drops an encrypted binary resource to the 'wer.dll' (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code. DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path.

[Denis Legezo, lead security researcher at Kaspersky] says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - 'AB' in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager. 'The dropped wer.dll is a loader and wouldn't do any harm without the shellcode hidden in Windows event logs,' says Legezo. The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant's red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

Read more of this story at Slashdot.