[MART] - Daily Diary #341 - New Malware Family Using The Log File System To Hide Data

CTAS-MAT ctas-mat at appgate.com
Fri Sep 3 21:41:51 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

09/03/2021 - Diary entry #341:

A new and unknown malware family named PRIVATELOG was spotted using a different technique to hide data. The technique consists in using the Common Log File System (CLFS) to hide a second-stage payload in transaction files. CLFS is a logging framework for high-performance that provides API functions to manage log data into files with the extension ".blf". This file format is not commonly used, so there are no available tools to parse them, neither has a documentation. Therefore, this is an interesting way to malware hide its data using API functions to impersonate log data.

Along with the PRIVATELOG malware, was found an installer named STASHLOG. This installer has two objectives. The first one is to prepare the environment by generating encryption keys used to pre-encrypt the payload before it is written to disk. The last one is to hide the next-stage payload in a CLFS file.

When PRIVATELOG is executed via DLL SideLoading, it enumerates the CLSF files to get and execute the payload by using an uncommon injection technique to load it into a legitimate process. The next-stage payloads were not found yet, so the complete threat might still be under development. The threat actor behind it remains unknown.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210903/213ccb42/attachment.htm>

More information about the MART mailing list