Windows event logs exploited for fileless malware storage

Threat actors have been stealthily deploying fileless malware by leveraging a novel technique involving the direct injection of shellcode into Windows event logs, according to Threatpost. Discovered in February, the campaign has been allowing concealment of malicious late stage trojan deployment through Windows event logs, a Kaspersky report revealed. Attackers have been commencing the attack chain through lures prompting targets to download a malicious .RAR file with Cobalt Strike and SilentBreak, which will then be used to allow code injection into any process and other trusted apps. Through the use of fileless malware, infections could not be detected on compromised computers. "We consider the event logs technique, which we haven't seen before, the most innovative part of this campaign. With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable," wrote Kaspersky Global Research and Analysis Team Senior Security Researcher Denis Legezo.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.