Kaspersky Researchers Discover A New “Fileless” Malware Campaign

Researchers at Kaspersky have found a malicious campaign that used Windows event logs stored in malware, a new technique for attacks in the wild. This method enables threat actors to plant fileless malware in the file system, enabling the attack activity to be as stealthy as possible:

The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.

The attackers employed two types of Trojans for the last stage. These were used to gain further access to the system, commands from control servers are delivered in two ways: over HTTP network communications and engaging the named pipes. Some Trojans versions managed to use a command system containing dozens of commands from C2.

The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes onto the system.

Saryu Nayyar, CEO and Founder of Gurucul had this comment:

“Emerging techniques such as these continue to highlight the importance of incorporating behavioral-based analytics, which constantly monitor users, endpoints and other security solutions in the enterprise, to further augment anomaly detection and investigation capabilities.”

“Detection evasion is the name of the game these days, so identifying and alerting on anomalous behavior during early stages of an attack is critical for any effective security program.”

This is truly next level stuff from these threat actors. Which means that your response to these threats has to be next level as well. In the meantime the Kaspersky report does offer some mitigation strategies that are well worth implementing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: