With each security update, cyber attackers evolve newer means to breach the enterprise security perimeter and steal or hold data to ransom. The ever-increasing threat has forced many cybersecurity companies to go into a recruitment overdrive to hire malware analysts to monitor and analyze malware threats. Recently, cybersecurity professionals unearthed a new malware variant, which hides within Windows event logs.
According to Allied Market Research's statistical report, the global malware analysis market will grow from US$3,271.46 million in 2018 to US$24,150.55 million by 2026. The industry will grow at an estimated CAGR of 28.5 percent. As more Windows systems enter the market, the likelihood of event logs being abused grows.
What is a Windows event log?
Windows event log is a component of the Windows system that keeps a detailed record of the system, the applications associated with the OS, and its security events. System administrators use the Windows event logs to identify problems, diagnose system errors, and predict future issues. These programs remain attached to a Windows operating system to help enterprise IT professionals troubleshoot system problems.
Malware hidden in Windows event logs
Malware analysts and researchers discovered that cybercriminals have found new ways to hide malware so that they become undetectable. According to Kaspersky's recently published report, a hacker exploited the Windows event log system as a malware hideout and later launched an attack. Cybercriminals strategically position the malware in Key Management Services (KMS). According to researchers, this approach enables the threat actor to plant file-less malware in the file system. Such malware attack techniques come with explicitly designed modules that keep the malicious action as stealthy as possible.
The malware's exploitation approach
The Kaspersky researchers collected malware samples from a company product provisioned with behaviour-based malware detection and anomaly control technology. They identified it as a threat that infected their customer's computer. The malware analysis revealed that this malware is a part of a targeted campaign that relies on various techniques and tools. Some of these supporting tools and programs are commercially available, while the others are custom built. This malware also uses a custom malware dropper that enables the malware to inject the shellcode payloads into Windows event logs, specifically in the Key Management Services (KMS).
The custom malware dropper impersonates the legitimate error-handling file called "WerFault.exe" into the 'C:\Windows\Tasks' directory. It then deploys an encrypted binary resource to the Windows Error Reporting (WER) DLL file within that exact location. It performs DLL hijacking that loads and triggers the malicious code. DLL hijacking is an attack technique where the attacker exploits legitimate DLL files (often system DLLs) and programs to load malicious DLL files from random paths. The wer.dll acts as a loader and will not carry out any harmful or malicious action without the shellcode that is dropped and kept hidden in Windows event logs. Such an attacking approach makes the malware persistent.
How to protect your enterprise from these threats
There are various security measures enterprises can take to protect their Windows systems from these types of threats:
Web application firewalls (WAFs) with custom filters and security configurations can help prevent such malware and other advanced persistent threats coming from web applications.
Behaviour-based threat detection and control systems:
Numerous security solutions like Identity & Access Management (IAM), intrusion prevention systems (IPS), and other modern end-point solutions come with artificial intelligence & machine learning algorithms. These solutions can analyze the behaviour of the threats and notify the security professionals to take proactive actions.
Enterprises that use Windows as their operating system should also install anti-malware software that can help detect such malicious threats and shellcodes.
Windows event logs are an essential part of any Windows system. They play a crucial role in identifying system errors, predicting future issues, and helping enterprise IT professionals troubleshoot system problems. However, as cybercriminals have found new ways to hide malware in these logs, organizations need to take necessary measures to protect their systems from these types of threats.
Have questions? Contact the Packletlabs team to learn how your security posture can be strengthened.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications