Fake Windows Error Logs Used to Hide Malicious Payload

Cybercriminals have continued to devise new techniques to avoid detection. Recently, hackers have been observed using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.

Hiding in plain sight

To develop and execute their tradecraft, the malware authors this time used new tricks related to error logs to hide in plain sight a new sophisticated attack.
  • Recently, Huntress Labs researchers discovered the attack that included tricks such as renaming legitimate files, masquerading as an existing scheduled task, and using a malicious payload stored in a file made to look like an error log to hide in plain sight.
  • The error log files contained timestamps and references to OS 6.2, Windows internal version number for Windows 8, and Windows Server 2012.
  • The final payload is used to collect details about the compromised host, installed applications specifically PoS software, financial applications, browsers, tax software (Lacerte and ProSeries), security products (Kaspersky, Comodo, Defender), IP addresses, administrative privileges, etc.

Watch out for clever evasion techniques

In the past attacks also, hackers have been observed using steganography and other sly techniques to hide malicious code inside legitimate looking files.

  • In June 2020, Tycoon ransomware was observed hiding its payload in a Java image file to prevent detection on Windows and Linux systems and target corporate networks.
  • In May 2020, attackers targeted victims in Japan, the U.K., Germany, Italy, and delivered malicious PowerShell scripts hidden in image files to steal employee credentials from organizations tied to the industrial sector.
  • In the same month, the Tropic Trooper group used steganography techniques to mask their backdoor routines and evade anti-malware and network perimeter detection.

Security recommendations

Users should use threat intelligence to stay current with steganographic and other threats. Expedite and prioritize vulnerability patches, updates, and policy controls. Also protect networks against application exploits, malicious software, botnets, and zero-day vulnerabilities.