Security researchers recently noticed an activity of using Windows event log to store malware, which has not been recorded for hacker attacks before This method enables an attacker to implant file free malware into the file system. This attack is full of technologies and modules to keep the activity as hidden as possible.
Kaspersky researchers confirmed the threat through behavior-based detection and anomaly control technology on the customer computers equipped with the company's products, and collected samples of the malware. The survey shows that the malware is part of a "very targeted" activity and relies on a large number of tools, including customized and commercially available.
Denis legezo, Kaspersky's chief security researcher, said that this method was used in actual attacks for the first time in malicious activities. The dispenser will process the legal operating system error file werfault Exe to 'C: windows \Tasks', and then put the encrypted binary resources into the 'wer DLL '(Windows error reporting), DLL search sequence hijacking to load malicious code.
DLL hijacking is a hacker technology, which uses insufficient inspection of legitimate programs to load malicious dynamic link libraries (DLLs) from any path to memory. Legezo said that the purpose of the launcher is to load the loader on disk for the side loading process and look for specific records in the event log (category 0x4142 - 'ab' in ASCII). If such records are not found, it writes 8KB encrypted shellcode blocks, which are later combined into the code of the next stager.
"The discarded wer.dll is a loader. If there is no shellcode hidden in the windows event log, it will not cause any harm," said Denis legezo, Kaspersky's chief security researcher.