New Malware Uses Novel Fileless Technique to Evade Detection

PRIVATELOG and its installer STASHLOG first to use Common Log File System to stash secondary payload, Mandiant researchers say.

3 Min Read
Malware warning on phone
Source: Suttipun via Shutterstock

Researchers recently uncovered a new memory-resident malware family and installer that they say employ a unique and stealthy approach to hide from threat detection tools.

FireEye's Mandiant advanced practices team — which named the malware PRIVATELOG and its installer, STASHLOG — says it has not observed the malware on any customer networks, nor has the vendor recovered any second-stage payloads the malware may have launched. Still, the malware is noteworthy because of the novel technique it uses to try and reside undetected in memory on infected systems, according to the security vendor .

Fileless — or memory-resident — malware typically executes in memory, unlike malware that writes payloads to disk and therefore is more easily detected via antivirus tools.

"These fileless techniques do not write directly to disk in the traditional sense but utilize Windows storage containers, such as the Windows registry, to house the payload," says Blaine Stancill, senior reverse engineer with Mandiant FLARE team. The storage containers are accessible via various Windows APIs, making them easy to use from a threat actor's perspective but difficult to analyze from a defender’s perspective as the container’s typically use undocumented structures, he says.

Usually, the preferred locations for fileless malware storage include the Windows registry, Windows Management Instrumentation (WMI) and the Common Information Model (CIM) repository. But STASHLOG and PRIVATELOG are different because they use what is known as Common Log File System (CLFS) log containers to store malicious payloads, Stancill notes. These are containers that Windows uses to temporarily store data for registry transactions and other high-volume operations, he explains.

"STASHLOG selects an available CLFS container and inserts data into it in the same way that Windows does, using CLFS APIs," Stancill says. This allows the payload to be stored without creating any new files on the system.

According to the security researcher, STASHLOG and PRIVATELOG are the first known malware samples to use CLFS as place for storing malicious payloads, essentially making it a new fileless technique.

Matthew Dunwoody, senior principal researcher at Mandiant, says the new tactic is significant because it expands on the number of techniques used for fileless malware storage. "If defenders aren’t aware of this technique, they may not be able to effectively locate the hidden data or fully respond to the activity," Dunwoody says.

These techniques can also complicate scanning by antivirus tools, as the storage location may not be scanned, or the storage technique may change the format of the data, he notes.

Memory-Resident Malware on the Rise
Fileless malware tools have become an almost standard component of attacker toolkits these days. With antivirus and malware detection tools getting increasingly better at detecting malware written to disk, threat actors have resorted to using memory-resident tools for executing malicious actions.

Watchguard Technologies released a report earlier this year based on an analysis of endpoint threat intelligence data that found a staggering 900% increase in the use of fileless malware in endpoint attacks between 2019 and 2020. The study found that attackers are using toolkits such as Cobalt Strike and PowerSploit to inject malicious code into running processes and remain operational even if the original script is identified and removed.

The usual recommendations for mitigating risk to a network apply to fileless malware as well, Dunwoody says. This includes patching to mitigate vulnerabilities, managing the risk of phishing through both technology, and employee education and monitoring systems for evidence of malicious activity.

Dunwoody adds: "We also provided recommendations and detection rules to help identify possible usage of PRIVATELOG and STASHLOG malware, and their usage of CLFS."

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights