Cybersecurity researchers have disclosed particulars a couple of new malware household that depends on the Widespread Log File System (CLFS) to cover a second-stage payload in registry transaction recordsdata in an try and evade detection mechanisms.
FireEye’s Mandiant Superior Practices group, which made the invention, dubbed the malware PRIVATELOG, and its installer, STASHLOG. Specifics in regards to the identities of the risk actor or their motives stay unclear.
Though the malware is but to be detected in real-world assaults aimed toward buyer environments or be noticed launching any second-stage payloads, Mandiant suspects that PRIVATELOG may nonetheless be in growth, the work of a researcher, or deployed as a part of a extremely focused exercise.
CLFS is a general-purpose logging subsystem in Home windows that is accessible to each kernel-mode in addition to user-mode functions corresponding to database programs, OLTP programs, messaging purchasers, and community occasion administration programs for constructing and sharing high-performance transaction logs.
“As a result of the file format will not be extensively used or documented, there aren’t any out there instruments that may parse CLFS log recordsdata,” Mandiant researchers explained in a write-up printed this week. “This supplies attackers with a possibility to cover their information as log data in a handy method, as a result of these are accessible via API features.”
PRIVATELOG and STASHLOG include capabilities that permit the malicious software program to linger on contaminated units and keep away from detection, together with the usage of obfuscated strings and management movement methods which might be expressly designed to make static evaluation cumbersome. What’s extra, the STASHLOG installer accepts a next-stage payload as an argument, the contents of that are subsequently stashed in a selected CLFS log file.
Common as an un-obfuscated 64-bit DLL named “prntvpt.dll,” PRIVATELOG, in distinction, leverages a method known as DLL search order hijacking as a way to load the malicious library when it’s known as by a sufferer program, on this case, a service known as “PrintNotify.”
“Equally to STASHLOG, PRIVATELOG begins by enumerating *.BLF recordsdata within the default consumer’s profile listing and makes use of the .BLF file with the oldest creation date timestamp,” the researchers famous, earlier than utilizing it to decrypt and retailer the second-stage payload.
Mandiant recommends that organizations apply YARA guidelines to scan inner networks for indicators of malware and be careful for potential Indicators of Compromise (IoCs) in “course of”, “imageload” or “filewrite” occasions related to endpoint detection and response (EDR) system logs.