Malware campaign hides a shellcode into Windows event logs

Pierluigi Paganini May 07, 2022

Experts spotted a malware campaign that is the first one using a technique of hiding a shellcode into Windows event logs.

In February 2022 researchers from Kaspersky spotted a malicious campaign using a novel technique that consists of hiding the shellcode in Windows event logs. The technique allows hiding a fileless Trojan, the experts also noticed that Dropper modules also patched Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to avoid detection.

“In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system.” reads the analysis published by Kaspersky researcher Denis Legezo.

The experts discovered that the attackers are hiding encrypted shellcode containing the next-stage malware as 8KB pieces in event logs.

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).” continues the analysis. “This launcher, dropped into the Tasks directory by the first stager, proxies all calls to wer.dll and its exports to the original legitimate library. At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it.”

Windows event logs

The attackers behind this campaign, which likely has been active since September 2021, used different compilers, from Microsoft’s cl.exe or GCC under MinGW to a recent version of Go. Threat actors also used to sign modules to avoid detection. 

The attack chain aims at distributing .RAR archive from the legitimate site which contains Cobalt Strike and Silent Break.

Last stagers use two communication mechanisms, over HTTP with RC4 encryption and unencrypted with named pipes. Attackers used them to conduct a broad range of malicious activities, including the execution of arbitrary commands, download files from a URL, escalate privileges, and take screenshots.

“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign. With at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers, the actor behind this campaign is quite capable. There is the possibility that some of the modules we described here as custom ones are part of a commercial toolset as well. The code is quite unique, with no similarities to known malware. We will continue to monitor similar activity.” concludes the report.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Windows event logs)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment