Researchers have discovered a malicious campaign that utilizes a never-before-seen technique for executing shellcode on a system. This technique involves writing the malicious shellcode in chunks into the Windows event logs and then executing the shellcode from there.
The malware used in this campaign first copies the legitimate WerFault.exe, the Windows error handler application, into the C:WindowsTasks directory. Then, it drops a loader payload into the same directory and names it wer.dll to force the newly copied WerFault.exe to load it upon execution due to DLL search order hijacking. For persistence, the malware then creates a Run Registry key that executes this WerFault.exe binary on startup.
When the wer.dll payload is executed, it searches the Key Management Service event log for records with a category of 0x4142 (“AB” in ASCII). If none are found, it writes the shellcode in 8KB chunks into the information logging messages via the ReportEvent() Windows API function. If these records are found, the payload will instead combine all the 8KB chunks into the complete shellcode and execute it.
This shellcode is used to execute final stage payloads, such as an HTTP or named pipe Trojan, which in turn communicates back to the threat actor’s Command and Control (C2) infrastructure. Attribution for this malware is currently unknown, as while some of the early-stage components are commercially available products, the final stage Trojans and the Windows event log technique are unique to this campaign.
The key to prevent and detect this malware infecting a system is through the use of endpoint security controls and EDR solutions. While the Windows event log technique will likely not be prevented by security controls due to how new it is, the campaign uses other commercially available malware that is well-known and can be stopped upon execution. This can help prevent the malware from reaching this stage at all. This new technique, however, can be detected in a few ways. WerFault.exe and wer.dll existing in an abnormal location, the creation of a Run registry key, and WerFault.exe performing suspicious behavior such as abnormal network callouts are all behaviors that can be monitored for and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this detection need. Additionally, live analysis of a system can be used to determine if a system is already infected with this malware. This can be done by parsing the Key Management Service event log and looking for any logs with a category of 0x4142. If any are discovered, this may indicate an infection from this malware and further investigation should be performed.