FireEye’s Mandiant cybersecurity researchers spotted a new malware family, named PRIVATELOG, that relies on the Common Log File System (CLFS) to hide a second-stage payload in registry transaction files to avoid detection.
Common Log File System (CLFS) is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs. It was introduced with Windows Server 2003 R2 and included in later Windows operating systems. CLFS can be used for both data logging as well as for event logging. CLFS is used by TxF and TxR to store transactional state changes before they commit a transaction. Binary Log File(s) created from CLFS can not be viewed by any integrated Windows tool.
Experts also provided technical details of another malware using CLFS, dubbed STASHLOG, that was used as a PRIVATELOG installer.
“PRIVATELOG and STASHLOG rely on the Common Log File System (CLFS) to hide a second stage payload in registry transaction files.” reads the analysis published by Mandiant.
The malware has yet to be detected in attacks in the wild and the researchers believe it is still under development or the result of a research project.
Experts pointed out that the malware leverage CLFS because there are no available tools that can parse CLFS log files this means that technically it is possible to hide malicious data as lof records.
“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions. This is similar in nature to malware which may rely, for example, on the Windows Registry or NTFS Extended Attributes to hide their data, which also provide locations to store and retrieve binary data with the Windows API.” explained Mandiant researchers.
The STASHLOG installer accepts a next-stage payload as an argument and its content is ‘stashed’ in a CLFS log file.
The PRIVATELOG sample analyzed by Mandiant researchers is an un-obfuscated 64-bit DLL named prntvpt.dll that contains exports, which mimic those of legitimate prntvpt.dll files. PRIVATELOG expects to be loaded from PrintConfig.dll by hijacking the search order used to load DLLs.
Windows systems use a common method to look for required DLLs to load into a program. An attacker can hijack DLL loads for establishing persistence or elevating privileges and/or evading restrictions on file execution.
Mandiant provides YARA rules to detect PRIVATELOG and STASHLOG malware as well as possible variants.
“Rules to detect CLFS containers matching PRIVATELOG structures or containing encrypted data are also provided. These rules should be tested thoroughly before they are run in a production environment.” concludes Mandiant.
(SecurityAffairs – hacking, PRIVATELOG)