A sophisticated attack campaign was detected using a never-before-seen technique to stealthily plant fileless malware on targeted machines.
Researchers revealed the newly adopted technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a shield to launch trojans in the last stage of the infection chain.
The first stage of the attack chain starts with mulling victims to download a compressed RAR file from fake websites that appear legitimate.
Once downloaded, it executes penetration testing tools called Cobalt Strike and SilentBreak for delivering shellcode. Additionally they utilize separate anti-detection AES decryptors, compiled with Visual Studio.
The attackers also leverage digital certificates and a variety of other anti-detection wrappers to bypass security checks.
The attackers employed two types of trojans for the last stage. One kind of trojan was delivered over HTTP with RC4 encryption, the other type was executed with named pipes.
The evolving nature of criminal activities to stealthily plant malicious code on compromised systems, it is highly likely that fileless malware is here to stay for a long time. Organizations need to bolster their endpoint defense systems to detect and thwart any malicious activities in the early stage.