Lead Security Researcher, Kaspersky
A New Secret Stash For Fileless Malware
Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as event logging exists in any installation of the most widely used operating system on the globe.
These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.
Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging.
Working as Lead Security Researcher with Global Research and Analysis Team (GReAT) At Kaspersky since 2014. He specialized in targeted attacks research, reverse engineering, and malware analysis. Denis regularly provides trainings for the customers on these matters. He got his degree in cybernetics and applied mathematics facility of Moscow State University in 2002 with a diploma topic related to information security. Then he started his career as a programmer in different public and commercial companies. He presented his research at RSA, HITB, SAS, VirusBulletin.