Share this page!

ESET research Profile picture
Twitter logo
3 Sep 21, 11 tweets, 4 min read
#ESETresearch confirms in-the-wild use of the PRIVATELOG/STASHLOG malware reported by @Int2e_ and @MalwareMechanic from @FireEye earlier this week. Findings 👇 @0xfmz 1/11 fireeye.com/blog/threat-re…
We saw this malware family used in a targeted attack against a high profile company in 🇯🇵 Japan in May 2021. We recovered 2 samples that match FireEye's description of PRIVATELOG and STASHLOG, along with a previously unknown sample we call SPARKLOG 2/11
With STASHLOG being the installer and PRIVATELOG a loader, SPARKLOG is the launcher component for PRIVATELOG. Its main purpose is to retrieve PRIVATELOG from the log file, decrypt it, and get it loaded into legitimate service which varies from one OS version to another. 3/11
From Windows Server 2012 to Windows 10, SPARKLOG drops PRIVATELOG as %SYSTEM32%\spool\drivers\x64\3\prntvpt.dll (mimicking a legitimate Windows DLL) then stops and starts an existing PrintNotify service to load the DLL. PrintNotify is a legitimate Windows service. 4/11 Image
From Windows Vista to Windows 7, SPARKLOG uses a well-known DLL hijacking technique that involves dropping PRIVATELOG as %SYSTEM32%\WindowsPowershell\v1.0\wlbsctrl.dll, then stops and starts the legitimate Windows’ IKEEXT service to load it. 5/11 Image
Depending on the command line, unlike with printpvt.dll, the file is wiped if the service is started successfully. 6/11
We believe that there should exist a version of PRIVATELOG that, as in the case of prntvpt.dll, mimics or attempts to look as wlbsctrl.dll, another legitimate Windows DLL. 7/11
Interestingly, SPARKLOG executable contains an icon (doesn’t seem to belong to a specific software), and it creates a non-visible window to which it posts a message that triggers the execution of a thread to launch PRIVATELOG. 8/11 ImageImage
We are sharing the following IoCs in hope that the community can use them to continue to research and find the missing components of the malware: 9/11
SPARKLOG F8D46895E738254238473D650D99BDC92C34EE44
PRIVATELOG 9267FE0BB6D367FC9186E89EA65B13BAA7418D87
STASHLOG BB93AE0FEE817FE56C31BDC997F3F7D57A48C187
10/11
Seen:
C:\Windows\apppatch\Custom\Custom64\Spark.exe
C:\Windows\AppPatch\Custom\Custom64\Shiver.exe
C:\Windows\system32\spool\drivers\x64\3\prntvpt.dll
Probable:
C:\Windows\system32\spool\drivers\w32x86\3\prntvpt.dll
C:\Windows\system32\WindowsPowershell\v1.0\wlbsctrl.dll
11/11

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
13 Dec 21
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6
We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
We attribute this campaign to the 🇰🇵North Korea-linked APT group #Kimsuky. The Excel document contains a malicious Excel V4.0 macro that uses the #Squiblydoo technique to download and execute an XML file with a VBS scriptlet. 3/6
Read 6 tweets
ESET research Profile picture
1 Dec 21
#ESETresearch has published a comprehensive whitepaper comparing all known malware frameworks designed to breach air-gapped networks. Read more: welivesecurity.com/2021/12/01/jum… @adorais @0xfmz 1/7
@adorais @0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
@adorais @0xfmz This work allowed us to formalize what defines an air-gapped network malware and to propose a terminology to accurately describe the various components at play. 3/7
Read 7 tweets
ESET research Profile picture
10 Nov 21
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Read 5 tweets
ESET research Profile picture
8 Oct 21
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Read 6 tweets
ESET research Profile picture
7 Oct 21
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
On demand you can watch @cherepanov74 and @Robert_Lipovsky as they guide you through the US #Sandworm indictment; @LukasStefanko will discuss the hidden cost of #Android #stalkerware. Finally, there is @RighardZw again in the panel debate. 3/4
Read 4 tweets
ESET research Profile picture
24 Aug 21
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch

:(