Tweet
In what seems to be a world first, hackers have used a custom malware dropper to plant fileless malware in Windows event logs for the Key Management Services (KMS).
Cybersecurity researchers from Kaspersky first spotted the new technique after being tipped off by a customer with an infected endpoint. The entire campaign, the researchers are saying, is āvery targetedā, and deploys a large set of tools, some of which are custom-built, and some of which are commercial.
According to Kasperskyās Denis Legezo, this is the first time this technique has been spotted in the wild. As he explained, the malware dropper copies WerFault.exe, the OSā real error handling file, into the C:\Windows\Tasks folder, and then adds an encrypted binary resource to Wer.dll (short for Windows Error Reporting) into the same location. That way, through DLL search order hijacking, malicious code can be loaded into the system.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hackerās Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/Ā£10.99.
[HEADING=1]SilentBreak[/HEADING]
The loaderās purpose, Legezo says, is to look for specific lines in the event logs. If it doesnāt find them, it will write pieces of encrypted shellcode, which would later form the malware for the next stage of the attack.
In other words, wer.dll serves as a loader, and without the shellcode in Windows event logs, canāt do much harm.
The entire technique, and the way itās been pulled off, is āimpressiveā, Legezo told the publication. āThe actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,ā he said, hinting at an APT attacker.
Read more
Who the threat actor is, is anyoneās guess at the moment. According to the researchers, the campaign started in September 2021, and given that the campaign bears no similarities to any previous attacks recorded, itās likely that weāre looking at a completely new player.
For the time being, the researchers are dubbing the attacker SilentBreak.
[ul]
[li]Keep safe from unknown threat actors with the best firewalls around[/li][/ul]
Via: BleepingComputer
Continue readingā¦
Cybersecurity researchers from Kaspersky first spotted the new technique after being tipped off by a customer with an infected endpoint. The entire campaign, the researchers are saying, is āvery targetedā, and deploys a large set of tools, some of which are custom-built, and some of which are commercial.
According to Kasperskyās Denis Legezo, this is the first time this technique has been spotted in the wild. As he explained, the malware dropper copies WerFault.exe, the OSā real error handling file, into the C:\Windows\Tasks folder, and then adds an encrypted binary resource to Wer.dll (short for Windows Error Reporting) into the same location. That way, through DLL search order hijacking, malicious code can be loaded into the system.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hackerās Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/Ā£10.99.
[HEADING=1]SilentBreak[/HEADING]
The loaderās purpose, Legezo says, is to look for specific lines in the event logs. If it doesnāt find them, it will write pieces of encrypted shellcode, which would later form the malware for the next stage of the attack.
In other words, wer.dll serves as a loader, and without the shellcode in Windows event logs, canāt do much harm.
The entire technique, and the way itās been pulled off, is āimpressiveā, Legezo told the publication. āThe actor behind the campaign is rather skilled by itself, or at least has a good set of quite profound commercial tools,ā he said, hinting at an APT attacker.
Read more
Why āfileless malwareā is the biggest new threat to your business
This cheeky new malware strain hides in the Windows Registry
Nearly all businesses are expecting to face a cyberattack this year
This cheeky new malware strain hides in the Windows Registry
Nearly all businesses are expecting to face a cyberattack this year
For the time being, the researchers are dubbing the attacker SilentBreak.
[ul]
[li]Keep safe from unknown threat actors with the best firewalls around[/li][/ul]
Via: BleepingComputer
Continue readingā¦