Malware from a New Family Uses Common Log Files Systems to Dodge Identification

The new Malware called PRIVATELOG from the STASHLOG family hitting the market seems to be using Common Log File System (CLFS) to avoid being detected in security researches. This has been identified lately by the team of cybersecurity researchers of FireEye’s Mandiant Advanced Practices. 

CLFS (Common Log File System) is a general-purpose logging subsystem for creating high-performance transaction logs that is available to both kernel-mode and user-mode programs. It debuted with Windows Server 2003 R2 and has since been included in subsequent Windows operating systems. CLFS may be used for event logging as well as data logging. CLFS’s role, like that of any other transactional logging system, is to record a set of steps required for a particular operation so that they may be correctly replayed in the future to commit the transaction to secondary storage or undone if necessary.

An investigation report says that almost all of the strings utilized by PRIVATELOG and STASHLOG are obfuscated, but the crucial fact is that the methods identified in the malware are extremely unusual. Details regarding the threat actor’s identity and motivations are still unknown.

It was suggested by Mandiant to businesses that using YARA rules to monitor internal networks for indicators of malware and keeping an eye out for potential Indicators of Compromise (IoCs) in “process,” “imageload,” or “filewrite” events linked with EDR system logs can help.