Malware Hides In CLFS To Evade Detection – Expert Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Sep 08, 2021 02:41 am PST


FireEye’s Mandiant researchers have discovered a malware family using the Common Log File System (CLFS) to hide their second-stage payload in registry transaction files. In their blog post Too Log; Didn’t Read they detail how PRIVATE LOG and its installer STASHLOG use what they say is a novel and especially interesting technique(s) to obfuscate their presence.  An expert with Gurucul offers comment.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Saryu Nayyar
Saryu Nayyar , CEO
September 8, 2021 10:43 am

<p>Log files represent fertile ground for attacking data on systems and networks. Few organizations study their log files to better understand their computing environments, so they mostly just sit there. In this case, the CLFS log format doesn’t even have any tools available to be able to read it, so what better a place to store hacker data?</p>
<p>The easy answer to this type of attack is that if you’re not using the log data, don’t log it. Turn off logging. If you insist on logging, examine the log files on a regular basis to ensure they haven’t been corrupted. Note when data is written into them and keep track of how that data is accessed.</p>

Last edited 2 years ago by Saryu Nayyar

Recent Posts

Would love your thoughts, please comment.x