CATEGORIES
home News

Fileless Malware Could Be Lurking Inside Your Windows Event Logs

by Lane BabuderTuesday, May 10, 2022, 03:48 PM EDT
system error logs hero
Another day another malware threat. Yes, yet another new way of delivering malware has shown up recently. That new way does not directly involve files but Windows Event Logs.

According to security researchers at Kaspersky, a customer showed this new behavior. The method injects shellcode payloads into the event logs for Windows' Key Management Services (KMS). A custom malware dropper manages to perform this task. The dropper then copies the executable WerFault.exe to a new folder, then places an encrypted binary into that same location. This is the first this method of malware delivery has been observed "in the wild."

event log tools used
According to Kaspersky's lead security researcher, Denis Legezo, the DLL is basically useless on its own. However, now that the DLL is running, it can be used to execute code in memory, code that it can put together in pieces pulled straight from the Windows Event Log. That is what makes it dangerous.

Many malware and virus detection platforms usually have blocks of code that even heurisitic malware and virus scanners can catch without too much "hard work" by the scanners. However, this particularly nasty version of things can break up all of that code into 8KB chunks, at seemingly arbitrary intervals in the code, store them in events, then re-assemble them later. This means that it's possible for malware detections to just miss them because they could be completely innocuous on their own.

anti detection wrappers
The detection by Kaspersky, they claim, happened in February, and believe that the particular attack they studied was quite targeted. In fact it looks like there were additional anti-malware detection prevention placed into the code. That is in addition to this Windows Event code storage method. They believe the intent of the attack was to steal data, as is quite often the case for malware as of late. We've seen a whole host of banking malware for mobile devices after all.

When it comes to security of your devices though, it often does boil down heavily to being wary. Be extremely careful of attachments you open, e-mails you accept, and what you install. Kaspersky, nicely, has published hashes on all files associated in the attack that they detected in their report. It is important to note that, on their own, a number of the files are innocuous and may even be necessary system files.
Tags:  Malware, security, Kaspersky
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment