May 10, 2022

Windows Event Logs Abused for Malware

Industry: N/A | Level: Tactical | Source: Kaspersky

In February 2022, Kaspersky observed a new stealthy attack technique planting malware in Windows event logs, used by an unattributed threat actor. The threat actor initiated a sophisticated and targeted attack, employing many custom and commercially available tools. The initial infection appeared to have begun in September 2021, with the target lured into downloading a compressed archive file housing offensive tools including Cobalt Strike and Silent Break. The actor injected into various programs “Windows system processes or trusted applications.” Following injection, the drop of OS error program WerFault.exe is made to directory C:\Windows\Tasks, along with a encrypted dll dropper ‘wer.dll’ for search order hijacking and persistence is established through an autorun registry key entry. Shellcode written in Windows event logs is searched by the dll dropper, “The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter). Created event IDs are automatically incremented, starting from 1423.” The campaign has been correlated with no other threat actor and as attribution remains undetermined, the activity is tracked as SilentBreak

  • Anvilogic Use Cases:
    • Compressed File Execution
    • New AutoRun Registry Key
    • Rare Remote Thread