In what appears to be a world first, hackers used a custom malware dropper to plant fileless malware in Windows Event Logs for Key Management Services (KMS).
Kaspersky cybersecurity researchers first discovered the new technique after being notified by a customer with an infected terminal. The entire campaign, according to the researchers, is “highly targeted” and deploys a wide range of tools, some of which are personalized and some of which are commercial.
According to Denis Legezo of Kaspersky, this is the first time that this technique has been spotted in nature. As he explained, the malware dropper copies WerFault.exe, the actual operating system error handling file, to the C:\Windows\Tasks folder and then adds an encrypted binary resource to Wer .dll (short for Windows Error Reporting) in the same folder location. In this way, through DLL search order hijacking, malicious code can be loaded into the system.
The purpose of the loader, says Legezo, is to search for specific lines in the event logs. If it can’t find them, it will write bits of encrypted shellcode, which will later form the malware for the next stage of the attack.
In other words, wer.dll serves as a loader, and without the shellcode in the Windows event logs, can’t do much harm.
The whole technique, and the way it was done, is “impressive,” Legezo told the publication. “The actor behind the campaign is pretty adept on his own, or at least has a good set of pretty deep business tools,” he said, alluding to an APT attacker.
Who the threat actor is, no one can guess right now. According to the researchers, the campaign started in September 2021, and given that the campaign bears no similarities to previous recorded attacks, it’s likely we’re dealing with a brand new player.
For now, researchers are dubbing the attacker SilentBreak.