The new hacking technique affects Windows and is almost undetectable.
The hackers used a special malware dropper to inject fileless malware into Windows 11 event logs. This concerns Key Management Services (KMS). This is the first time this technique has been found in nature, and it is a matter of concern. Indeed, it is designed to make the infection process almost impossible to detect. And that’s before it’s too late.
Kaspersky Lab experts have discovered a new hacking technique. And this is after a return from a client whose terminal was infected. The victim of this attack was tricked into downloading a RAR archive from a legitimate file sharing site. Once downloaded, it runs secretly and continues to infect. The entire campaign is “very targeted” and uses a wide range of tools, the researchers said. Some of them are personalized, others are commercial.
In action, this attack injects shellcode payloads into Windows event logs in Key Management Services (KMS). And this is thanks to a special dropper that makes the attack invisible. It is clear that the shellcode was encrypted, then cut into small pieces of 8 KB, and then scattered around a part of the Windows logs. Recall that shellcode is a sequence of machine code or executable instructions embedded in the computer’s memory. And this is in order to take control of the running program.
Divide and rule
Specifically, the malware copies WeFault.exe to the C:³Windows³Tasks folder. Namely, WerFault.exe is the actual error handling file of the operating system. Once this manipulation is done, it adds the encrypted binary resource to Windows Error Reporting (Wer.dll) in the same location. It is through intercepting the search order of DLL exploits that this malicious code enters the system. Namely, a damaged DLL file restores small fragments of shellcode, assembles them, and then executes the code thus obtained. So even if the user checks their event logs, nothing out of the ordinary will appear. The attacker can then silently install the virus.
The hacking campaign is said to have started in September 2021. But since it has nothing to do with previous reported attacks, it is likely to be a completely new entrant. For now, researchers have named the attacker SilentBreak.
Follow Geeko on Facebook, Youtube and Instagram so you don’t miss any news, tests and tips.