Hackers are now hiding malware in Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

Adding payloads to Windows event logs

Researchers at Kaspersky collected a sample of the malware after being a company product equipped with technology for behavior-based detection and anomaly control identified it as a threat on a customer’s computer.

The investigation revealed that the malware was part of a “very targeted” campaign and relied on a large set of tools, both custom and commercially available.
One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.

The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant’s red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

Source: BleepingComputers