Support for Ukraine



Blog Archive



Hackers are now hiding malware in Windows Event Logs

Full Story Blog Post Monday, May 9, 2022 in Security   View 1 Comment 1 Comment 		Security

"NAME"

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
Adding payloads to Windows event logs

Researchers at Kaspersky collected a sample of the malware after being a company product equipped with technology for behavior-based detection and anomaly control identified it as a threat on a customer's computer.

The investigation revealed that the malware was part of a "very targeted campaign and relied on a large set of tools, both custom and commercially available.

One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.

Denis Legezo, lead security researcher at Kaspersky, says that this method has been used "for the first time `in the wild` during the malicious campaign.

The dropper copies the legitimate OS error handling file WerFault.exe to `C:WindowsTasks` and then drops an encrypted binary resource to the `wer.dll` (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code.

DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path.

Legezo says that the dropper`s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - `AB` in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager.
"The dropped wer.dll is a loader and wouldn`t do any harm without the shellcode hidden in Windows event logs - Denis Legezo, lead security researcher at Kaspersky
The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant's red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

bleepingcomputer.com



Waheed Al gore
Tuesday, June 21, 2022 at 12:39 PM
Hello,

We provide funding through our venture capital company to both start-up
and existing companies either looking for funding for expansion or to
accelerate growth in their company.
We have a structured joint venture investment plan in which we are
interested in an annual return on investment not more than 10% ROI.
We are also currently structuring a convertible debt and loan financing
of 3% interest repayable annually with no early repayment penalties.
If you have a business plan or executive summary, I can review to
understand a much better idea of your business and what you are looking
to do, this will bumist in determining the best possible investment
structure we can pursue and discuss more extensively.
If you are interested in any of the above, kindly respond to us via this
email. waheedalgore@alarisinvestmentgroup.org

Gmail: waheedalgore22@gmail.com

Sincerely
Waheed Algore
Head of Finance
Al Aris Investment Group

1


Navigation :

Pricing :

Services :