In short: The Windows Event Log and Event Viewer are supposed to help users diagnose security issues and other problems on a PC. However, Kaspersky Lab researchers came across one hacker who used the event log itself against its target.
Last week Kaspersky published detailed analysis of a complex attack that began last fall. This involved a combination of different methods and programs, but Kaspersky Lab’s security researchers singled out the use of Windows event logs as something completely new.
At one stage of the hacking campaign, the attacker inserted the shellcode into the target’s Windows event logs. This malware storage method is especially stealthy because it leaves no files for antivirus detection.
The campaign also included a large selection of both commercial and proprietary software. This included DLL hijacking, a trojan, anti-detection wrappers, web domain spoofing, and more. The attacker even personally signed some of his programs to make them look more legitimate.
The scale and uniqueness of the attack indicate that it was directed at a specific target system. At the first stage, the attacker convinced the victim to download and run the .rar file from the legitimate file.io file hosting service in September. At the very least, this should be a reminder not to follow links from strangers, much less download and run files from them.
Kaspersky Lab was unable to link the attack to any known suspects or determine its ultimate target. However, researchers said BleepingComputer notes that such attacks are usually aimed at obtaining valuable data from their targets.
Credit: www.techspot.com /