Kaspersky uncovers fileless malware inside Windows event logs May 9, 2022 https://www.techrepublic.com/article/kaspersky-fileless-malware-windows-event-logs/ "An unprecedented discovery made by Kaspersky could have serious consequences for those using Windows operating systems. The cybersecurity company published an article on May 4 detailing that - for the first time ever - hackers have placed shellcode into Windows event logs, hiding Trojans as fileless malware." A new secret stash for "fileless" malware 04 May 2022 https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
Indicators of Compromise: IPv4 Code: 178.79.176.136 93.95.228.97 162.0.224.144 185.145.253.62 194.195.241.46 178.79.176.1 Domains Code: eleed.online eleed.cloud timestechnologies.org avstats.net mannlib.com nagios.dreamvps.com opswat.info
But how the heck is this stuff even possible? Looks like Windows was designed to cater to hackers, which allows them to develop all kinds of advanced malware techniques, it's ridiculous.
You'd probably be surprised at what is possible. I doubt Windows was designed to cater to hackers, but it may not have been designed to account for them. Probably not entirely possible. Where I don't feel it is fair to blame software companies for hackers, it often seems the hackers are smarter. I guess they have greater motivation and incentive. Thier financial reward probably scales with their ambition and effort. Many software engineers are underpaid. Criminals aren't limited by anything but skill and effort.
Yes good point, but these hacking techniques keep getting weirder and weirder. Why on earth is this stuff even possible, why not remove a couple of hundred API's in Windows, because this stuff seems to be used strictly by malware and not by legitimate tools. There are simply too many ways to bypass AV's and firewall.
Windows is too old and too common to fix. Something else would have to be created. Then people would have to use it. No, Linux is not that thing.
Exactly! You are spot on it's been completely by design all along. How else could they keep the computer security business industry and third parties humming along. Not to mention the hackers raking it in too. This looks like a fun one that @itman can sink his choppers in. One heck of an in depth A to Z write up too.
I already mitigated this when it was discovered. Using a HIPS, monitor/block any process creating wer.dll and WerFault.exe files in C:\Windows\Tasks directory.
So in reality this find is a sort of a redundant rehash of similar fileless types. Not that it would help or lessen other structure of that same intrusion but I purposely delete entire Event Logs on a regular basis just to conserve space. That article says 'first time ever" which probably means they admit they haven't yet audited the entire layout of a Windows System where one such addition has little purpose compared to the TEETH of a significant system attack path. Supportive PowerShell junk where by now everyone even laymen know the capabilities if it isn't confined by some type of focuses security measure.
That's what I mean, it's like they created all of these ''OS features'' to make life of hackers easier and to keep the computer security industry very profitable. I'm sure they could design Windows in a way that would limit hacker attack techniques, without breaking legitimate apps. Let's take code-injection as example, almost none legitimate apps make use of it, except for security tools. Yet there are plenty of ways to perform advanced code injection, see links. And this isn't only possible on Windows, but also on macOS, which does make you think that they really didn't take malware into consideration when designing the OS, but it still looks shady to me. https://www.elastic.co/blog/ten-pro...-technical-survey-common-and-trending-process https://www.darkreading.com/endpoint/researchers-explore-remote-code-injection-in-macos
If truth be known I held reservations way back on Windows XP. Instead of MS constructing iron-clad innovation for end users and business protections against intrusions, it seems have introduced all sorts of novel opportunities & channels without first taking into account the best way to 'first' prevent everything that users experienced which is proven detrimental. Just an opinion of mine. Or else in reality they haven't the gumption to outfit Windows sensibly enough without all the kiddie crap that's made it a toy for hackers and the unlearned to pry open and gum up everything.
