Kaspersky Has Detected Malware Deployed Inside Windows Event Logs

Source: Tech Republic Kaspersky Has Detected Malware Deployed Inside Windows Event Logs

First Used In September 2021, Discovered Last Week

Add this to the list of things you wish you didn’t know about; multistage malware which hides in the Windows Event Viewer and from there is able to do a wide variety of nasty things.  The only real good news is that the infection requires someone to download an infected file, sadly the file is likely to be from a legitimate source and would be signed.  The malware’s emulation of an official penetration testing tool is just the beginning of the nightmare.

The awful people who developed this malware made use of a wide variety of tricks to make your life miserable once the infection managed to hide code inside the Windows Event Viewer.  They may have created some of the modules this malware makes use of, but others have been borrowed from penetration testing tools from Cobalt Strike and SilentBreak.  The shellcode added to Event Viewer, which can be dumped into memory and run is encrypted up to four times, with different encryption tools, any system files the infection modifies will tend to be already whitelisted or given a signed certificate, it will even mess with the logging functions of ntdll.dll.

You can read a more detailed summary here, or go straight to the source if you want to get the full story on this malware’s lifecycle, capabilities and to have any hope to detect it if it is already running on your network.

The HTTP network method saw the malicious file target the Windows system files, hiding a piece of malware by creating a duplicate of an existing file with “1.1” added to the the string, which is assumed by Kaspersky to be the malicious version of a file.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!