Researchers have discovered a malicious campaign that utilizes a never-before-seen technique for executing shellcode on a system. This technique involves writing the malicious shellcode in chunks into the Windows event logs and then executing the shellcode from there.
The malware used in this campaign first copies the legitimate WerFault.exe, the Windows error handler application, into the C:\Windows\Tasks directory. Then, it drops a loader payload into the same directory and names it wer.dll to force the newly copied WerFault.exe to load it upon execution due to DLL search order hijacking. For persistence, the malware then creates a Run Registry key that executes this WerFault.exe binary on startup.
When the wer.dll payload is executed, it searches the Key Management Service event log for records with a category of 0x4142 (“AB” in ASCII). If none are found, it writes the shellcode in 8KB chunks into the information logging messages via the ReportEvent() Windows API function. If these records are found, the payload will instead combine all the 8KB chunks into the complete shellcode and execute it.
This shellcode is used to execute final stage payloads, such as an HTTP or named pipe Trojan, which in turn communicates back to the threat actor’s Command and Control (C2) infrastructure. Attribution for this malware is currently unknown, as while some of the early-stage components are commercially available products, the final stage Trojans and the Windows event log technique are unique to this campaign.