5th September 2021, Kathmandu
Cybersecurity researchers have disclosed details about an incipient malware family that relies on the Mundane Log File System (CLFS) to obnubilate a second-stage payload in registry transaction files in an endeavor to eschew detection mechanisms.
FireEye’s Mandiant Advanced Practices team, which made the revelation, dubbed the malware PRIVATE LOG, and its installer, STASHLOG. Specifics about the identities of the threat actor or their motives remain obscure.
Albeit the malware is yet to be detected in genuine-world attacks aimed at customer environments or be spotted launching any second-stage payloads, Mandiant suspects that PRIVATE LOG could still be in development, the work of a researcher, or deployed as a component of a highly targeted activity.
CLFS is a general-purport logging subsystem in Windows that’s accessible to both kernel-mode as well as utilizer-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs.
“Because the file format is not widely used or documented, there are no available implements that can parse CLFS log files,” Mandiant researchers explicated in an indite-up published this week. “This provides assailers with an opportunity to obnubilate their data as log records in a convenient way because these are accessible through API functions.”
PRIVATE LOG and STASHLOG come with capabilities that sanction the malevolent software to linger on infected contrivances and eschew detection, including the utilization of obfuscated strings and control flow techniques that are expressly designed to make static analysis cumbersome. What’s more, the STASHLOG installer accepts a next-stage payload as an argument, the contents of which are subsequently stashed in a concrete CLFS log file.
Fashioned as an un-obfuscated 64-bit DLL designated “prntvpt.dll,” PRIVATE LOG, in contrast, leverages a technique called DLL search order hijacking in order to load the malevolent library when it is called by a victim program, in this case, an accommodation called “PrintNotify.”
“Similarly to STASHLOG, PRIVATE LOG commences by enumerating *.BLF files in the default utilizer’s profile directory and utilizes the.BLF file with the oldest engendering date timestamp,” the researchers noted, afore utilizing it to decrypt and store the second-stage payload.
Mandiant recommends that organizations apply YARA rules to scan internal networks for denotements of malware and keep optical discerners open for potential Designators of Compromise (IoCs) in “process”, “image load” or “file write” events associated with endpoint detection and replication (EDR) system logs.