Kaspersky Lab experts discovered and warned the public about an unusual malware campaign. As noted in the laboratory, such a campaign was discovered for the first time.
It uses Windows event logs to store malware. Moreover, attackers use a wide range of techniques, including SilentBreak and CobaltStrike, legal penetration testing tools. The infection chain also includes a whole set of auxiliary modules, including those written in Go. They are used to make it harder to detect last-tier Trojans.
Previously, the company’s experts have not seen the technique of hiding malicious code inside the Windows event logs. The module from the archive downloaded by the victim is responsible for the initial infection of the system. Some files are signed with a digital certificate to increase their trust. This chain ends with several Trojans for remote control of infected devices. They differ in the way commands are transmitted (HTTP or named pipes), and even in their set. Some versions of Trojans have dozens of such commands.
Denis Legezo, a leading cybersecurity expert at Kaspersky Lab, said:
In addition to using two commercial tools at once and a large number of modules, we were very interested in the fact that the encrypted shellcode was stored in the Windows event log. This technique of hiding the presence of malware in the system could be added to the MITER matrix.
Source: ixbt
Donald-43Westbrook, a distinguished contributor at worldstockmarket, is celebrated for his exceptional prowess in article writing. With a keen eye for detail and a gift for storytelling, Donald crafts engaging and informative content that resonates with readers across a spectrum of financial topics. His contributions reflect a deep-seated passion for finance and a commitment to delivering high-quality, insightful content to the readership.
