Kaspersky Has Detected Malware Deployed Inside Windows Event Logs
First Used In September 2021, Discovered Last Week
Add this to the list of things you wish you didn’t know about; multistage malware which hides in the Windows Event Viewer and from there is able to do a wide variety of nasty things. The only real good news is that the infection requires someone to download an infected file, sadly the file is likely to be from a legitimate source and would be signed. The malware’s emulation of an official penetration testing tool is just the beginning of the nightmare.
The awful people who developed this malware made use of a wide variety of tricks to make your life miserable once the infection managed to hide code inside the Windows Event Viewer. They may have created some of the modules this malware makes use of, but others have been borrowed from penetration testing tools from Cobalt Strike and SilentBreak. The shellcode added to Event Viewer, which can be dumped into memory and run is encrypted up to four times, with different encryption tools, any system files the infection modifies will tend to be already whitelisted or given a signed certificate, it will even mess with the logging functions of ntdll.dll.
You can read a more detailed summary here, or go straight to the source if you want to get the full story on this malware’s lifecycle, capabilities and to have any hope to detect it if it is already running on your network.
The HTTP network method saw the malicious file target the Windows system files, hiding a piece of malware by creating a duplicate of an existing file with “1.1” added to the the string, which is assumed by Kaspersky to be the malicious version of a file.