Cyber criminals began to practice a new technique of hiding malicious code – in the event logs of the Windows operating system. About detecting a new type of attack reported Kaspersky Lab specialists.
The technique used by attackers is based on storing encrypted shell code in the Windows event log, a series of machine commands that allow access to the operating system’s command interpreter and execution of malicious code. At the same time, executable files from the RAR archive downloaded by the victim are responsible for the initial infection of the system. Some files are signed with a digital certificate to increase their trust. This chain ends with several Trojans designed to remotely control infected devices.
It should be noted that Kaspersky Lab experts are confronted for the first time with the fact that malicious code is stored in the Windows event logs, which makes it difficult for antivirus programs to detect it and allows attackers to achieve their goals.
To avoid trouble, IT security experts advise to be extremely careful and not download files from dubious sources.
Visit Kaspersky’s Securelist information page to learn more about the malicious campaign using Windows event logs via this link.