Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Hide malicious code in Windows logs file to attack computers, new ways of attack by hackers
Recently, Huntress Labs, a software vendor that detects cyber security threats, has uncovered a sophisticated new hacker script. This attack scenario requires a lot of perseverance, but the results can be huge for hackers.
Specifically, after gaining access to the victim's computer, hackers will use a file called "a.chk" to silently deploy malicious code. This file will be disguised as an error log file for Windows application.
The fake log file is named a.chk The parameters in this file are normal except for the last column. At a glance, this column looks like it contains hexadecimal values. However, when converting to decimal, this is the number of the characters in the ASCII table. Once decoded, these characters form a script that links to the hacker's control server to help them carry out further actions.
Without careful review, even security experts do not recognize the abnormality of these logs files. The columns and rows are both time and reference markers for the internal version number of Microsoft.
A closer inspection revealed that the hacker had hidden the code to extract the relevant data and build an encrypted payload. The payload is part of a malware, a piece of code that is run on the victim's computer, used to perform certain malicious activities, such as destroying data, sending spam or encrypting data. In addition to the payload, such malware has additional overhead code to spread it, or to avoid being identified.
You can see how the hacker hid the code in the image below, notice the rightmost column:
The values in the last column can be turned into dangerous codes According to security expert John Ferrell, vice president of Hunttress Labs, payloads are created by faking Windows scheduled tasks. The two scripts executed in this new attack method are renamed to the same default commands to avoid detection.
The first code is called BfeOnService.exe, a copy of mshta.exe. This code executes VBScript to start PowerShell and run the commands in it.
The second code is named engine.exe, a copy of powershell.exe. This code is responsible for extracting ASCII numbers in the fake logs file and decoding them into other scripts to build the payload.
At launch, the code together creates a payload, collecting information on the victim's computer Once built, the payload will collect information about the browser, tax-related software, security software and PoS software installed on the victim's computer.
At this time, it is not known which hacker or organization is behind this attack. This is a fairly sophisticated attack method and it shows that hackers are trying to find ways to intrude and steal important information on personal computers and businesses.
David PacYou should read it
- Hackers fake Windows 11 download page to spread malicious code
- The browser is too smart, hackers turn to embed zero-day Flash malicious code into Microsoft Office files
- Watch out for new dangerous viruses similar to WannaCry
- Classify hackers and career opportunities for true hackers
- New weapons against malicious code are 'cloud' computing.
- Do you know who white hat hackers are and how their lives are?
- Danger: Hackers can target medical devices, change medical examination and treatment results
- [Infographic] Things to know about a hacker
May be interested
- Google Alert is being used to spread malicious code
by using fake data leak notifications, hackers have taken advantage of google alert itself to spread malware and other phishing campaigns. - Warning: DDoS attacks are becoming more dangerous both in scale and complexityalthough ddos is a new form of attack, it is always considered as a leading threat to organizations and businesses worldwide.
- Detect a critical flaw in VMware Cloud Director, which could pave the way for hackers to take control of enterprise serversthe newly discovered vulnerability in vmware's cloud director platform has the ability to allow attackers to access sensitive information and even control private clouds throughout the infrastructure.
- How did 'LoveBug' change the world of malware?a computer virus that not only paralyzes millions of computer systems around the world, but also becomes a catalyst for the growth and growth of the billions of dollars 'ransomware industry' i know today.
- Data of more than 20 million Taiwanese citizens leaked on the dark webthis archive even includes data related to the taiwan government.
- Microsoft urgently warns about a phishing campaign that uses malicious Excel macros to hack PCssecurity team with microsoft's security intelligence has issued an urgent warning about a massive fraud campaign.
Attack the network
Warning: New malicious code is infecting about 500,000 router devices- List of some types of files that are potentially dangerous on Windows
- 100 hackers were arrested for the super-dangerous BlackShades malicious code
- Add 2 malicious samples to attack the Mac
- Most Android anti-virus software cannot detect malicious APK files
Warning: New malicious code is infecting about 500,000 router devices
List of some types of files that are potentially dangerous on Windows
100 hackers were arrested for the super-dangerous BlackShades malicious code
Add 2 malicious samples to attack the Mac
Most Android anti-virus software cannot detect malicious APK files