New Fileless Malware Technique Leverages Windows Event Logs to Hide

The experts of the multinational dedicated to computer security Kaspersky have discovered a new technique to hide so-called ‘fileless’ malware within the event logs of Windows.

Windows Events is a tool that records system activity, including computer errors and warnings, making it especially useful for understanding and dealing with any computer problem.

The firm’s experts have detected a targeted ‘malware’ campaign that uses a technique they have described as “unique”, in which “the attacker saved and then executed an encrypted ‘shellcode’ from Windows event logs “, As pointed out by the company’s principal investigator, Denis Legezo, in a statement sent to Europa Press.

The attack begins with the infection of the system, which is carried out via the module ‘dropper’ (and type of ‘malware’ that contains an executable file) from a document downloaded by the victim.

The attackers then inject the malware in shell code snippets (which allow control of processes and files) encrypted within the Windows event logs. Subsequently, they are decrypted and executed.

In addition, they use a variety of anti-detection ‘wrappers’ (programs or code that wrap other components) to go unnoticed. From Kaspersky they point out that some modules have even been signed with a digital certificate for greater accuracy.

Once inside the system and in the last phase of their attack, cybercriminals use two types of Trojans to gain more control. These are governed by two different communication mechanisms: HTTP with RC4 encryption and unencrypted named pipes.

Cybercriminals also use commercial ‘pentesting’ tools (set of simulated attacks to detect weaknesses in a system), specifically SilentBreak y CobaltStrike. Thus, they combine known techniques with custom decryptors.

The firm’s experts acknowledge that it is “the first time” that they observe the use of Windows event logs to hide ‘shell’ codes, and perpetrate an attack of these characteristics.


To protect against fileless malware and other similar threats, Kaspersky recommends using a reliable endpoint security solution that can detect file behavior anomalies and against high-profile attacks, in addition to installing anti-APT solutions. and EDR to discover and detect threats, as well as investigate and remedy incidents.

Experts also advise providing the Security Operations Center (SOC) team with access to the latest threats, as well as regularly updating its members with professional training.

By Editor

Leave a Reply