New PRIVATELOG Malware Uses CLFS Log Files to Hide

What's new?

• The malware hasn’t been used in real-world attacks or observed to launch any second-stage payloads. It is believed to be in development or used for specific activities.
• As CLFS format is not very popular, no tools can read CLFS log files. This makes it possible to hide data as CLFS log records, without getting caught on any security radars. This data can be accessed using API functions.
• PRIVATELOG’s identified sample is an un-obfuscated 64-bit DLL file. While StashLog is its installer that uses obfuscated strings and control flow techniques that complicate detection.

Delivering the payloads

• The StashLog installer allows a next-stage payload as an argument and the contents of it could be stored in a CLFS log file. 
• PRIVATELOG uses the DLL search order hijacking method to load the malicious library. The malicious payload gets executed when it is called by a victim's program, such as PrintNotify.
• Moreover, PRIVATELOG first identifies *.BLF files in default user's profile directory. Then, uses a .BLF file with the oldest date timestamp, before decrypting and storing the payload of the second stage.

Closing lines