Hackers use fake Windows error logs to hide malicious payload

guest · Jun 19, 2020

Hackers use fake Windows error logs to hide malicious payload
June 19, 2020
https://www.bleepingcomputer.com/ne...windows-error-logs-to-hide-malicious-payload/

Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.
The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes.
Reading between the lines
MSP threat detection provider Huntress Labs discovered an attack scenario where a threat actor with persistence on a target machine tried to run an unusual trick to carry on with their attack routine.

“At first glance, it looks like a log for some application. It has timestamps and includes references to OS 6.2, the internal version number for Windows 8 and Window Server 2012” - John Ferrell
A closer inspection reveals the trick used by the actor to extract the relevant chunk of data (the numerical characters) and build the encoded payload. Below you can see how the numbers convert to text to form the script.
Click to expand...

Ferrell notes that the script decoded this way applies an in-memory patch to the Antimalware Scan Interface (AMSI) to bypass it. AMSI helps antivirus programs detect script-based attacks.
A second command acting as a downloader is executed to retrieve yet another PowerShell command with the same function. At the end of the chain is a payload that gathers information about the compromised system.
Click to expand...

Hiding In Plain Sight

What do you think this file is?
Click to expand...

guest · Sep 2, 2020

Attackers abuse Google DNS over HTTPS to download malware
September 2, 2020
https://www.bleepingcomputer.com/ne...se-google-dns-over-https-to-download-malware/

Earlier this year, BleepingComputer reported on hackers hiding malware in fake Windows error logs.

After gaining access to a Windows system and achieving persistence, the malware would read from a ".chk" file that impersonated event logs.
More information has emerged on this complex malware and some other sinister tasks it carries out.
Google DNS over HTTPS
While revisiting the malware sample, researchers at MSP threat detection provider Huntress Labs noticed a suspicious URL in the PowerShell code they had previously analyzed:

https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt
While Google DNS is being used to resolve the suspicious domain, the response returned via Google DNS contains the malicious payload in an encoded form, as verified by BleepingComputer: [...]
Click to expand...

Not a DKIM signature. These are C&C IPs!
To the casual eye, the "data" field value returned by the Google DNS query may look like a DKIM signature but this is yet another deceptive trick employed by the attackers.
This value appears to be a base64 encoded string but there is a caveat.

The innocuous-looking DNS lookup query provided flexibility to the attackers to make the Command and Control (C&C) infrastructure dynamic. They could change the C&C server IP list at will, by simply updating the DNS responses.
Click to expand...

Hiding in Plain Sight || Part 2

We recently uncovered a really peculiar piece of malware, which we’ve jokingly referred to as “the gift that keeps on giving.”
The more we dug into it, the more we found to uncover and unpack.

Note that is Part 2 of a previous blog post, Hiding in Plain Sight || Part 1” which describes the initial foothold.
Click to expand...

Log in or Sign up

Hackers use fake Windows error logs to hide malicious payload

guest Guest

guest Guest

Log in or Sign up

Hackers use fake Windows error logs to hide malicious payload

guest Guest

guest Guest

Useful Searches