A new attack technique has been discovered by Huntress Labs which uses a number of tricks including renaming legitimate files, impersonating an existing scheduled task and using fake error logs to hide in plain sight.
After gaining persistence on a targeted system, the attacker used a file which imitates a Windows error log for an application to prepare the system for script-based attacks.
In a blog post, founder and vice president of Huntress Labs, John Ferrell explained that cybercriminals have went to some lengths to make their fake error log appear legitimate, saying:
“At first glance, it looks like a log for some application. It has timestamps and includes references to OS 6.2, the internal version number for Windows 8 and Window Server 2012. It turns out that this file is associated with a malicious foothold that we discovered.”
The fake error log used by the attackers actually stores ASCII characters which have been disguised as hexadecimal values.
Hiding in plain sight
Once the fake error log has been decoded, it makes a script that is used to contact the attacker’s command and control server to find out what to do next.
According to Ferrel, the payload is obtained by using a scheduled task impersonating a real one on the targeted system. The technique also uses two executables which have been renamed to appear as legitimate files.
The first is named “BfeOnService.exe” and this is actually a copy of a utility called “mshta.exe” that executes Microsoft HTML Applications (HTA). The utility has been abused in the past to deploy malicious HTA files but in this case, it is used to execute a VBScript to start PowerShell and run a command in it. The other executable is named “engine.exe” and is a copy of “powershell.exe”. It is used to extract the ASCII numbers contained in the fake error log and convert them in order to obtain the payload.
The payload itself collects information about browsers, tax software, security software and PoS software installed on the system. However, at this time, the end goal of the attacker using this new attack technique is still unknown.