fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers are Now Hiding Malware in Windows Event Logs

Hackers are Now Hiding Malware in Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

Adding payloads to Windows event logs

Researchers at Kaspersky collected a sample of the malware after being a company product equipped with technology for behavior-based detection and anomaly control identified it as a threat on a customer’s computer.

Also Read: 7 Simple Tips On How To Create A Good Business Card Data

The investigation revealed that the malware was part of a “very targeted” campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.

Denis Legezo, lead security researcher at Kaspersky, says that this method has been used “for the first time ‘in the wild’ during the malicious campaign.”

SilentBreak dropper writes shellcode in Windows KMS event log
source: Kaspersky

The dropper copies the legitimate OS error handling file WerFault.exe to ‘C:\Windows\Tasks’ and then drops an encrypted binary resource to the ‘wer.dll’ (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code.

DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path.

Legezo says that the dropper’s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 – ‘AB’ in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager.

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs” – Denis Legezo, lead security researcher at Kaspersky

The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant’s red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

Technically advanced actor

Based on the various techniques and modules (pen-testing suites, custom anti-detection wrappers, final stage trojans) used in the campaign, Legezo notes that the entire campaign “looks impressive.”

Also Read: How Bank Disclosure Of Customer Information Work For Security

He told BleepingComputer that “the actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,” indicating an APT-level adversary.

Among the tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI (the former SilentBreak).

SilentBreak APT's toolset
source: Kaspersky

While some modules in the attack are believed to be custom, the researcher notes that they may be part of the NetSPI platform, for which a commercial license was unavailable for testing.

For instance, two trojans named ThrowbackDLL.dll and SlingshotDLL.dll may be tools with the same name known to be part of the SilentBreak penetration testing framework.

“We started the research from the in-memory last stager and then, using our telemetry, were able to reconstruct several infection chains” – Denis Legezo

The investigation tracked the initial stage of the attack to September 2021 when the victim was tricked into downloading a RAR archive from the file sharing service file.io.

The threat actor then spread the Cobalt Strike module, which was signed with a certificate from a company named Fast Invest ApS. The certificate was used to sign 15 files and none of them were legitimate.

Digital certificate SilentBreak APT used to sign its tools
source: Kaspersky

In the majority of cases, the ultimate purpose of the targeted malware with such last stager functionality is obtaining some valuable data from the victims, the researcher told BleepingComputer.

While studying the attack, Kaspersky did not find any similarities with previous campaigns associated with a known threat actor.

Until a connection with a known adversary is made, the researchers track the new activity as SilentBreak, after the name of the tool most used in the attack.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us