In what seems to be a world first, hackers have used a custom malware dropper to plant fileless malware in Windows event logs for the Key Management Services (KMS).
Cybersecurity researchers from Kaspersky first spotted the new technique after being tipped off by a customer with an infected endpoint (opens in new tab). The entire campaign, the researchers are saying, is “very targeted”, and deploys a large set of tools, some of which are custom-built, and some of which are commercial.
According to Kaspersky’s Denis Legezo, this is the first time this technique has been spotted in the wild. As he explained, the malware (opens in new tab) dropper copies WerFault.exe, the OS’ real error handling file, into the C:\Windows\Tasks folder, and then adds an encrypted binary resource to Wer.dll (short for Windows Error Reporting) into the same location. That way, through DLL search order hijacking, malicious code can be loaded into the system.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
The loader’s purpose, Legezo says, is to look for specific lines in the event logs. If it doesn’t find them, it will write pieces of encrypted shellcode, which would later form the malware for the next stage of the attack.
In other words, wer.dll serves as a loader, and without the shellcode in Windows event logs, can’t do much harm.
The entire technique, and the way it’s been pulled off, is “impressive”, Legezo told the publication. “The actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,” he said, hinting at an APT attacker.
Who the threat actor is, is anyone’s guess at the moment. According to the researchers, the campaign started in September 2021, and given that the campaign bears no similarities to any previous attacks recorded, it’s likely that we’re looking at a completely new player.
For the time being, the researchers are dubbing the attacker SilentBreak.