This article has been indexed from Threat Research Blog
The Mandiant Advanced Practices team recently discovered a new
malware family we have named PRIVATELOG and its installer, STASHLOG.
In this post, we will share a novel and especially interesting
technique the samples use to hide data, along with detailed analysis
of both files that was performed with the support of FLARE analysts.
We will also share sample detection rules, and hunting recommendations
to find similar activity in your environment.
Mandiant has yet to observe PRIVATELOG or STASHLOG in any customer
environments or to recover any second-stage payloads launched by
PRIVATELOG. This may indicate malware that is still in development,
the work of a researcher, or targeted activity.
CLFS and Transaction Files
PRIVATELOG and STASHLOG rely on the Common Log File System (CLFS) to
hide a second stage payload in registry transaction files.
CLFS is a log framework that was introduced by Microsoft in Windows
Vista and Windows Server 2003 R2 for high performance. It provides
applications with API functions—available in clfsw32.dll—to create, store and read log data.
Because the file format is not widely used or documented, there are
no available tools that can parse CLFS log files. This provides
attackers with an opportunity to hide their data as log records in a
convenient way, because these are accessible through API functions.
This is similar in nature to malware which may rely, for example, on
the Windows Registry or NTFS Extended Attributes to hide their data,
which also provide locations to store and retrieve binary data with
the Windows API.
In Microsoft Windows, CLFS is notably used by the Kernel Transaction
Manager (KTM) for both Transactional NTFS (TxF) and Transactional
Registry (TxR) operations. These allow applications to perform a
number of changes on the filesystem or registry, all grouped in a
single transaction that can be committed or rolled back. For example,
to open a registry key in a transaction, the functions
RegCreateKeyTransacted(), RegOpenKeyTransacted(), and
RegDeleteKeyTransacted() are available.
Registry transactions are stored in dedicated files with the
following naming scheme: <hive><GUID>.TMContainer<number>.regtrans-ms
or <hive><GUID>.TxR.<number>.regtrans-ms.
These are CL
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Too Log; Didn’t Read — Unknown Actor Using CLFS Log Files for Stealth