Threat actors have been stealthily deploying fileless malware by leveraging a novel technique involving the direct injection of shellcode into Windows event logs, according to Threatpost
Discovered in February, the campaign has been allowing concealment of malicious late stage trojan deployment through Windows event logs, a Kaspersky report revealed. Attackers have been commencing the attack chain through lures prompting targets to download a malicious .RAR file with Cobalt Strike
and SilentBreak, which will then be used to allow code injection into any process and other trusted apps. Through the use of fileless malware, infections could not be detected on compromised computers.
"We consider the event logs technique, which we haven't seen before, the most innovative part of this campaign. With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable," wrote Kaspersky Global Research and Analysis Team Senior Security Researcher Denis Legezo.