Beware of this new Windows malware, it attacks an unusual place in the system!

Under Windows, hackers have succeeded in developing a type of ultra-sophisticated and new kind of malware. To do this, they attack the operating system’s event manager, a technique that has never been seen before that allows them to recover all kinds of confidential information stored on the infected computer. Without the system noticing that it has been corrupted, of course.

It was thought safe from any possibility of infection of the PC. By its nature, the event viewer is a tool often forgotten and not intended to perform anything. However, hackers have managed to exploit it, so that it serves as a catalyst for malware.

Kaspersky researchers are behind this discovery. The research team explains their discovery in these terms: “In February 2022, we observed the technique of put shellcode in windows event logs for the first time during a malicious attack. It allows a “fileless” Trojan to be hidden in plain sight in the file system.”

Read also: Russian antivirus Kaspersky is banned from the United States, it represents “a risk to national security”

This threat spreads through Windows Event Viewer

For information, the event viewer takes care of recording all system events, errors that occur as soon as you use the OS, etc. This observer makes it possible to identify bugs or Windows crashes, to analyze them and/or to send them to an administrator. It is accessible via the context menu of the Start menu, which is available from a simple right-click on the Windows icon in the taskbar.

Although present on all versions of Windows, the event viewer is often ignored by users. Who would be wary of a tool that only lists bugs? However, hackers have managed to hijack it, to make it a tool for spreading malware.

Denis Legezo, a researcher at Kaspersky, says the technique used is a first in the world of cybersecurity. It consists of copying the WerFault.exe executable (a legitimate Windows file) into the C:\Windows\Tasks directory. It copies the wer.dll file, which is attached to Windows Error Reporting and is also a legitimate operating system file, to the same location. All this without the knowledge of the user and of Windows itself.

And this is where the threat starts acting, since it alters the content of the DLL, in order to load malicious content. To do this, the malware searches the event logs for very specific data (type 0x4142 – ‘AB’ in ASCII). If it does not find them, it injects a small piece of encrypted code of 8 KB, which contains a malware or several malwares. Malicious software that will subsequently be executed.

Malware Windows Event Observer
The malware writes information using shellcode to the Windows event log. (capture credit: Kaspersky).

A type of malware propagation that has never been seen before on Windows

Once the malware is set up and launched, the attacker can steal all of the user’s personal data. If this method which consists in hacking the event observer is new, the attack nevertheless relies on existing hacking tools easily found on the Web. Researchers found traces of well-known trojans in the malicious code, such as Throback and Slingshot, two pieces of malware found in a hacking “kit” called SilentBreak.

According to Kaspersky, the technology used is part of a “very targeted” campaign. This technique is unique in that it acts without initially relying on a set of external files. It uses the files already present in the OS to alter their content.

If Kaspersky researchers do not provide any details as to the editions of Windows concerned, it is likely that it affects all editions of the operating system indiscriminately, from Windows 7 to Windows 11, including Family, Pro, etc. . Kaspersky also does not specify whether any type of antiviral solution is today capable of detecting this new threat.

Source : Kaspersky

Related Articles

Leave a Reply

Your email address will not be published.