A new malware family has been discovered that uses Common Log File System (CLFS) to stay undetected. Named PRIVATELOG, this malware uses another malware—StashLog—as its installer.
What's new?
FireEye's Mandiant Advanced Practices team has discovered PRIVATELOG and StashLog evading detection from security agencies in their own unique way. The threat actor responsible and their motives behind the attack are, as of now, unknown.
The malware hasn’t been used in real-world attacks or observed to launch any second-stage payloads. It is believed to be in development or used for specific activities.
As CLFS format is not very popular, no tools can read CLFS log files. This makes it possible to hide data as CLFS log records, without getting caught on any security radars. This data can be accessed using API functions.
PRIVATELOG’s identified sample is an un-obfuscated 64-bit DLL file. While StashLog is its installer that uses obfuscated strings and control flow techniques that complicate detection.
Delivering the payloads
PRIVATELOG and StashLog have slightly contrasting methods for delivering other malicious payloads
The StashLog installer allows a next-stage payload as an argument and the contents of it could be stored in a CLFS log file.
PRIVATELOG uses the DLL search order hijacking method to load the malicious library. The malicious payload gets executed when it is called by a victim's program, such as PrintNotify.
Moreover, PRIVATELOG first identifies *.BLF files in default user's profile directory. Then, uses a .BLF file with the oldest date timestamp, before decrypting and storing the payload of the second stage.
Closing lines
The use of CLFS log files to stay undetected is a new trick used by this unknown threat actor. Mandiant has provided YARA rules to spot CLFS containers matching PRIVATELOG structures or encrypted data. In addition, the security agency recommends scanning for IOCs in the events with the keywords ‘process’, ‘imageload’, or ‘filewrite’ in the EDR logs.