A new malware campaign takes advantage of Windows event logs

A new malware campaign takes advantage of Windows event logs

Kaspersky's team of security researchers has discovered a malware campaign that uses a previously unrecorded technique whereby the file system is infected via Windows event logs in a way that is practically invisible to antivirus.

Thanks to technology that allows you to identify threats based on behavior and monitor anomalies, researchers have identified the threat on a customer's computer and were able to extract a sample.

Apparently, the campaign behind the The attack is extremely focused and involves the use of a wide range of tools, both purpose-built and commercially available, such as the SilentBreak toolset. In particular, the Windows event logs are affected by the loading of some shellcode payloads, via a custom program for loading malware. In particular, KMS events are affected, ie those related to key management services.

In general, the researchers were impressed by the campaign because of the various modules and attack strategies implemented, which include custom anti-detection wrappers, Trojans and even suites for penetration tests, including Cobalt Strike and NetSPI. All this indicates that the campaign managers have advanced skills and may be very familiar with some commercial tools.

The initial phase of the attack dates back to September 2021, when the victim was deceived to download a RAR file from the file.io service. Possible perpetrators have not yet been identified, but researchers say the purpose of such a targeted malware attack is to obtain data of some significance. At the moment, the activity was called "SilentBreak", citing the most used tool in the attack.