The inventiveness of pirates is sometimes limitless. Kaspersky security researchers have detected a new campaign of targeted cyberattacks that have surprised them greatly. It breaks down, as often, into several stages of deployment of malicious code. But one of these steps is particularly innovative. Indeed, the hackers wrote their malicious code in the form of ” shell code », that is to say an executable binary code intended to be injected into the memory of the infected system.
This code was encrypted, then cut into small pieces of 8 KB before being scattered in part of the Windows logs. When the time comes, a corrupted DLL file will take care of recovering all these bits, assembling them again and executing the code thus obtained.
It is a particularly discreet and difficult to detect process, because at no time does the malicious code exist in the form of a file. This is the first time that Kaspersky researchers have observed this cloaking technique in a real attack.
Also see video:
This campaign is also characterized by the use of a wide range of tools, some from pentest commercial ones like Cobalt Strike or SilentBreak, others being custom-made.
All these tools, which the researchers detail in a very technical blog post, serve only one purpose: to install a backdoor accessible from the outside, either through the HTTP protocol, or by an inter-process communication technique. called “named pipe” (“named pipes”).
As the malicious codes analyzed do not resemble anything known, Kaspersky is currently unable to attribute them to a group of hackers already referenced. What is clear is that this is not the work of amateurs, but probably the creation of a state organization. But who ?
Source : Kaspersky