Home » Technology » New malware cleverly hides in the Windows event logs

New malware cleverly hides in the Windows event logs

There are several techniques that are theoretically feasible for malware attacks but are never used in practice. But sometimes that changes, according to a new discovery by security researchers at Kaspersky. They found the first malware in the wild that hides its payload in the Windows Event Logs.

Although such a method existed as a possible concept among scientists, such methods are rarely used in practice because they can only be implemented with considerably more effort than the conventional methods, for which numerous tools exist. In which case discovered now a classic malware dropper causes the WerFault.exe file to be copied to C:WindowsTasks. An encrypted binary resource is also stored under the file name wer.dll. This in itself poses no significant damage potential and should not normally be detected by automated routines.

Well camouflaged

The malware only works in combination with code that is also stored encrypted in the Windows event logs. However, if the malicious code becomes active, it can still be found due to the unusual system behavior – this is what happened in the present case. The Kaspersky researchers found out because their guards had hit a customer’s computer.

The analysis found that the malware was likely a highly targeted attack and not malware that was distributed in large numbers. Kaspersky researcher Denis Legezo concludes that the attacker either has extensive knowledge or not exactly cheap commercial tools to run such a campaign. However, he expects similar attacks to become more common in the future, as the procedure for sideloading malware code in the Windows Event Logs has now also been demonstrated on GitHub.