PRIVATELOG (Malware Family)

PRIVATELOG

Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.

References

2022-05-04 ⋅ Cybereason ⋅ Akihiro Tomita, Assaf Dahan, Chen Erlich, Daniel Frank, Fusao Tanida, Niv Yona, Ofir Ozer
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti

2022-05-04 ⋅ Cybereason ⋅ Akihiro Tomita, Assaf Dahan, Chen Erlich, Daniel Frank, Fusao Tanida, Niv Yona, Ofir Ozer
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti

2021-09-03 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Twitter thread on SPARKLOG, a launcher component for PRIVATELOG along with STASHLOG
PRIVATELOG STASHLOG

2021-09-01 ⋅ FireEye ⋅ Adrien Bataille, Blaine Stancill
Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth
PRIVATELOG STASHLOG

Yara Rules

[TLP:WHITE] win_privatelog_w0 (20230119 | Detects possible hijack of legitimate prntvpt.dll based on missing export)

import "math"
import "pe"

rule win_privatelog_w0 {

    meta:
        author = "adrien.bataille@mandiant.com"
        description = "Detects possible hijack of legitimate prntvpt.dll based on missing export"
        md5 = "91b08896fbda9edb8b6f93a6bc811ec6"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog"
        malpedia_rule_date = "20230119"
        malpedia_hash = ""
        malpedia_version = "20230119"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
        pe.exports("PTOpenProviderEx")
        and not pe.exports("MergeAndValidatePrintTicketThunk")
}

Download all Yara Rules

PRIVATELOG Propose Change

References

Yara Rules

PRIVATELOG