Cybersecurity researchers have disclosed details about a new malware family members that relies on the Common Log File Procedure (CLFS) to hide a second-phase payload in registry transaction data files in an endeavor to evade detection mechanisms.
FireEye’s Mandiant Superior Procedures team, which created the discovery, dubbed the malware PRIVATELOG, and its installer, STASHLOG. Details about the identities of the danger actor or their motives continue being unclear.
Whilst the malware is still to be detected in authentic-world assaults aimed at customer environments or be noticed launching any second-stage payloads, Mandiant suspects that PRIVATELOG could nevertheless be in advancement, the do the job of a researcher, or deployed as section of a really targeted activity.
CLFS is a basic-purpose logging subsystem in Windows that is available to both kernel-mode as effectively as consumer-manner programs these as database methods, OLTP techniques, messaging customers, and network event management units for developing and sharing higher-performance transaction logs.
“Since the file structure is not commonly utilized or documented, there are no obtainable equipment that can parse CLFS log information,” Mandiant scientists stated in a compose-up posted this week. “This delivers attackers with an option to disguise their information as log information in a practical way, due to the fact these are accessible as a result of API capabilities.”
PRIVATELOG and STASHLOG appear with capabilities that allow for the destructive computer software to linger on contaminated equipment and keep away from detection, together with the use of obfuscated strings and manage flow tactics that are expressly made to make static investigation cumbersome. What’s extra, the STASHLOG installer accepts a up coming-stage payload as an argument, the contents of which are subsequently stashed in a certain CLFS log file.
Fashioned as an un-obfuscated 64-bit DLL named “prntvpt.dll,” PRIVATELOG, in distinction, leverages a technique known as DLL lookup purchase hijacking in buy to load the destructive library when it is termed by a sufferer application, in this circumstance, a services called “PrintNotify.”
“Equally to STASHLOG, PRIVATELOG starts by enumerating *.BLF information in the default user’s profile directory and takes advantage of the .BLF file with the oldest generation date timestamp,” the researchers noted, before applying it to decrypt and retail outlet the second-phase payload.
Mandiant recommends that companies apply YARA principles to scan interior networks for indicators of malware and enjoy out for prospective Indicators of Compromise (IoCs) in “approach”, “imageload” or “filewrite” activities related with endpoint detection and response (EDR) system logs.