Malware Hides In CLFS To Evade Detection – Expert Reaction


FireEye’s Mandiant researchers have discovered a malware family using the Common Log File System (CLFS) to hide their second-stage payload in registry transaction files. In their blog post Too Log; Didn’t Read they detail how PRIVATE LOG and its installer STASHLOG use what they say is a novel and especially interesting technique(s) to obfuscate their presence.  An expert with Gurucul offers comment.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
September 8, 2021 10:43 am

<p>Log files represent fertile ground for attacking data on systems and networks. Few organizations study their log files to better understand their computing environments, so they mostly just sit there. In this case, the CLFS log format doesn’t even have any tools available to be able to read it, so what better a place to store hacker data?</p>
<p>The easy answer to this type of attack is that if you’re not using the log data, don’t log it. Turn off logging. If you insist on logging, examine the log files on a regular basis to ensure they haven’t been corrupted. Note when data is written into them and keep track of how that data is accessed.</p>

Last edited 1 year ago by Saryu Nayyar
Information Security Buzz
Would love your thoughts, please comment.x