A brand new malicious marketing campaign has been noticed benefiting from Windows occasion logs to stash chunks of shellcode for the primary time within the wild.
“It allows the ‘fileless’ last stage trojan to be hidden from plain sight in the file system,” Kaspersky researcher Denis Legezo mentioned in a technical write-up printed this week.
The stealthy an infection course of, not attributed to a identified actor, is believed to have commenced in September 2021 when the meant targets had been lured into downloading compressed .RAR recordsdata containing Cobalt Strike and Silent Break.
The adversary simulation software program modules are then used as a launchpad to inject code into Windows system processes or trusted functions.
Also notable is using anti-detection wrappers as a part of the toolset, suggesting an try on the a part of the operators to fly underneath the radar.
One of the important thing strategies is to maintain encrypted shellcode containing the next-stage malware as 8KB items in occasion logs, a never-before-seen method in real-world assaults, that is then mixed and executed.
The ultimate payload is a set of trojans that make use of two completely different communication mechanisms — HTTP with RC4 encryption and unencrypted with named pipes — which permit it to run arbitrary instructions, obtain recordsdata from a URL, escalate privileges, and take screenshots.
Another indicator of the risk actor’s evasion techniques is using data gleaned from preliminary reconnaissance to develop succeeding levels of the assault chain, together with using a distant server that mimics reliable software program utilized by the sufferer.
“The actor behind this campaign is quite capable,” Legezo mentioned. “The code is quite unique, with no similarities to known malware.”
The disclosure comes as Sysdig researchers demonstrated a approach to compromise read-only containers with fileless malware that is executed in-memory by leveraging a crucial flaw in Redis servers.