Hackers are using this strange technique to launch attacks against Windows devices
Cybercriminals continue to devise new ways to avoid detection
A new attack technique has been discovered by Huntress Labs which uses a number of tricks including renaming legitimate files, impersonating an existing scheduled task and using fake error logs to hide in plain sight.
After gaining persistence on a targeted system, the attacker used a file which imitates a Windows error log for an application to prepare the system for script-based attacks.
In a blog post, founder and vice president of Huntress Labs, John Ferrell explained that cybercriminals have went to some lengths to make their fake error log appear legitimate, saying:
“At first glance, it looks like a log for some application. It has timestamps and includes references to OS 6.2, the internal version number for Windows 8 and Window Server 2012. It turns out that this file is associated with a malicious foothold that we discovered.”
- Hackers infecting other hackers with remote-access trojan
- More people are searching how to be a hacker during lockdown
- Bug bounties have made these hackers millionaires
The fake error log used by the attackers actually stores ASCII characters which have been disguised as hexadecimal values.
Hiding in plain sight
Once the fake error log has been decoded, it makes a script that is used to contact the attacker's command and control server to find out what to do next.
According to Ferrel, the payload is obtained by using a scheduled task impersonating a real one on the targeted system. The technique also uses two executables which have been renamed to appear as legitimate files.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The first is named “BfeOnService.exe” and this is actually a copy of a utility called “mshta.exe” that executes Microsoft HTML Applications (HTA). The utility has been abused in the past to deploy malicious HTA files but in this case, it is used to execute a VBScript to start PowerShell and run a command in it. The other executable is named “engine.exe” and is a copy of “powershell.exe”. It is used to extract the ASCII numbers contained in the fake error log and convert them in order to obtain the payload.
The payload itself collects information about browsers, tax software, security software and PoS software installed on the system. However, at this time, the end goal of the attacker using this new attack technique is still unknown.
- We've also highlighted the best antivirus software
Via BleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.