This New Malware Family Using CLFS Log Files to Avoid Detection

Nested Applications

Asset Publisher

null This New Malware Family Using CLFS Log Files to Avoid Detection

Cybersecurity researchers have disclosed details about a new malware family that relies on the Common Log File System (CLFS) to hide a second-stage payload in registry transaction files in an attempt to evade detection mechanisms.

 

Although the malware is yet to be detected in real-world attacks aimed at customer environments or be spotted launching any second-stage payloads, It suspects that PRIVATELOG could still be in development, the work of a researcher, or deployed as part of a highly targeted activity.

 

CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs.

 

Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."

 

PRIVATELOG and STASHLOG come with capabilities that allow the malicious software to linger on infected devices and avoid detection, including the use of obfuscated strings and control flow techniques that are expressly designed to make static analysis cumbersome. What's more, the STASHLOG installer accepts a next-stage payload as an argument, the contents of which are subsequently stashed in a specific CLFS log file.

 

Fashioned as an un-obfuscated 64-bit DLL named "prntvpt.dll," PRIVATELOG, in contrast, leverages a technique called DLL search order hijacking in order to load the malicious library when it is called by a victim program, in this case, a service called "PrintNotify". "Similarly to STASHLOG, PRIVATELOG starts by enumerating *.BLF files in the default user's profile directory and uses the .BLF file with the oldest creation date timestamp," the researchers noted, before using it to decrypt and store the second-stage payload.

 

 It recommended  that organizations apply YARA rules to scan internal networks for signs of malware and watch out for potential Indicators of Compromise (IoCs) in "process", "imageload" or "filewrite" events associated with endpoint detection and response (EDR) system logs.

We are a member of First

We are a member of First

 

 

contactpic

 

 

Most Viewed Assets

Most Viewed News

Nested Applications

Contact Us

Free Call[OH]: 933

Phone Number: +251-993939270

                            +251-993531965

                            +251-944-33-68-02

E-mail: ethiocert@insa.gov.et

P.O.Box: 124498

Asset Publisher

tools

Nested Applications

Asset Publisher

values

Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving