{"id":21899,"date":"2022-05-10T19:11:42","date_gmt":"2022-05-10T19:11:42","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21899"},"modified":"2022-05-10T19:13:53","modified_gmt":"2022-05-10T19:13:53","slug":"hackers-exploit-windows-event-logs","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/hackers-exploit-windows-event-logs\/","title":{"rendered":"Hackers Are Now Exploiting Windows Event Logs"},"content":{"rendered":"\n

Hackers have found a way to infect Windows Event Logs with fileless malware<\/a>, security researchers have found.<\/p>\n\n\n\n

Kaspersky researchers on May 4 revealed<\/a> \u201ca new stash for fileless malware.\u201d During a \u201cvery targeted\u201d campaign, hackers used Windows Event Logs to inject shellcode payloads<\/a> and operate stealthily.<\/p>\n\n\n\n

This new approach is highly sophisticated yet could still become popular, as it seems quite efficient for injecting malicious DLL and evading detection<\/a>. Kaspersky researchers discovered that the attackers used various tools, including custom and commercial solutions like Cobalt Strike and a new toolset used by the hackers.<\/p>\n\n\n\n

The researchers said it’s clearly the work of an advanced threat actor but they could not attribute the campaign to a known APT<\/a> group. The campaign is dubbed \u201cSilentBreak\u201d for now, after the name of the toolset used by the hackers.<\/p>\n\n\n\n

Also read: How Cobalt Strike Became a Favorite Tool of Hackers<\/a><\/p>\n\n\n\n

SilentBreak’s Attack Techniques<\/strong><\/h2>\n\n\n\n

The researchers were struck by \u201cthe variety of the campaign\u2019s techniques and modules,\u201d so they made a classification to analyze the modules one by one:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

All these stages were possible because the hackers managed to trick a target into downloading an infected .rar on file.io, a legitimate website. After that, they were able to spread a digitally-signed Cobalt Strike module to exfiltrate sensitive data.<\/p>\n\n\n\n

How the Attackers Injected Code in Windows Logs<\/strong><\/h2>\n\n\n\n

The researchers discovered malicious payloads into Windows event logs for the Key Management Services (KMS):
<\/p>\n\n\n\n

To achieve the first stage in their campaign, the hackers used a custom malware dropper that copies the legitimate Windows Error Reporting executable (WerFault.exe) to C:\\Windows\\Tasks, and then drops a malicious binary in the same directory:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This technique is called DLL hijacking and consists of replacing a required DLL file with a malicious one and placing it in the same directory as the targeted application. The system uses DLL (Dynamic Link Library) files to store some resources the application needs and will load automatically.<\/p>\n\n\n\n

The new WerFault.exe is then set to autorun, which creates a \u201cWindows Problem Reporting value in the Software\\Microsoft\\Windows\\CurrentVersion\\Run Windows system registry branch.\u201d<\/p>\n\n\n\n

The dropper then looks for logs with a specific category (0x4142) and with the KMS as a source. If it does not find one, the encrypted shell code is written in 8KB chunks in the event logs.<\/p>\n\n\n\n

Kaspersky researchers explored the code and discovered it acts as a proxy to intercept all calls to the original library (the legitimate one) and prepare the next stages, which indicates an iterative procedure.<\/p>\n\n\n\n

Hackers Focused on Evasion<\/strong><\/h2>\n\n\n\n

The top priority for this operation was obviously to remain undetected. To achieve that, the attackers used various anti-detection techniques such as:<\/p>\n\n\n\n