Researchers recently uncovered a new memory-resident malware family and installer that they say employ a unique and stealthy approach to hide from threat detection tools.
FireEye's Mandiant advanced practices team — which named the malware PRIVATELOG and its installer, STASHLOG — says it has not observed the malware on any customer networks, nor has the vendor recovered any second-stage payloads the malware may have launched. Still, the malware is noteworthy because of the novel technique it uses to try and reside undetected in memory on infected systems, according to the security vendor .
Fileless — or memory-resident — malware typically executes in memory, unlike malware that writes payloads to disk and therefore is more easily detected via antivirus tools.
"These fileless techniques do not write directly to disk in the traditional sense but utilize Windows storage containers, such as the Windows registry, to house the payload," says Blaine Stancill, senior reverse engineer with Mandiant FLARE team. The storage containers are accessible via various Windows APIs, making them easy to use from a threat actor's perspective but difficult to analyze from a defender’s perspective as the container’s typically use undocumented structures, he says.
Usually, the preferred locations for fileless malware storage include the Windows registry, Windows Management Instrumentation (WMI) and the Common Information Model (CIM) repository. But STASHLOG and PRIVATELOG are different because they use what is known as Common Log File System (CLFS) log containers to store malicious payloads, Stancill notes. These are containers that Windows uses to temporarily store data for registry transactions and other high-volume operations, he explains.
"STASHLOG selects an available CLFS container and inserts data into it in the same way that Windows does, using CLFS APIs," Stancill says. This allows the payload to be stored without creating any new files on the system.
According to the security researcher, STASHLOG and PRIVATELOG are the first known malware samples to use CLFS as place for storing malicious payloads, essentially making it a new fileless technique.
Matthew Dunwoody, senior principal researcher at Mandiant, says the new tactic is significant because it expands on the number of techniques used for fileless malware storage. "If defenders aren’t aware of this technique, they may not be able to effectively locate the hidden data or fully respond to the activity," Dunwoody says.
These techniques can also complicate scanning by antivirus tools, as the storage location may not be scanned, or the storage technique may change the format of the data, he notes.
Memory-Resident Malware on the Rise
Fileless malware tools have become an almost standard component of attacker toolkits these days. With antivirus and malware detection tools getting increasingly better at detecting malware written to disk, threat actors have resorted to using memory-resident tools for executing malicious actions.
Watchguard Technologies released a report earlier this year based on an analysis of endpoint threat intelligence data that found a staggering 900% increase in the use of fileless malware in endpoint attacks between 2019 and 2020. The study found that attackers are using toolkits such as Cobalt Strike and PowerSploit to inject malicious code into running processes and remain operational even if the original script is identified and removed.
The usual recommendations for mitigating risk to a network apply to fileless malware as well, Dunwoody says. This includes patching to mitigate vulnerabilities, managing the risk of phishing through both technology, and employee education and monitoring systems for evidence of malicious activity.
Dunwoody adds: "We also provided recommendations and detection rules to help identify possible usage of PRIVATELOG and STASHLOG malware, and their usage of CLFS."