PRIVATELOG Malware Hides in the Windows Common Log File System
High-profile threat actors often experiment with new mechanics and strategies to plant malware into places that antivirus tools will not check. The PRIVATELOG Malware is one of the latest samples to utilize an innovative strategy in this department. So far, this implant has not been utilized fully in attacks. It is likely that its creators are still testing and debugging in order to fine-tune every stage of PRIVATELOG Malware's infection.
What is Special about the PRIVATELOG Malware?
The unique thing about this particular threat is the trick it uses to plant its data on the victim's machine. While the infection vector is not clear yet, the malware will keep its data in the CLFS files that Windows creates. CLFS, or Common Log File System, is a framework that Microsoft have been using in their Windows versions since Vista and Server 2003 R2. The purpose of the CLFS files is to maintain log data about various system functions. One of its advantages is that it performs better than traditional text files when it comes to preserving, classifying, and managing logs. However, this fairly obscure format is not that easy to read, and many apps do not support CLFS files. This is why the PRIVATELOG Malware wants to use it – it could hide its contents from antivirus scanners.
Keep in mind that this does not mean that PRIVATELOG Malware is undetectable. The criminals behind the project need to do a lot more to evade antivirus tools fully. A reputable anti-malware application will still identify PRIVATELOG Malware when it tries to perform any malicious actions. So far, it is not clear what the purpose of the malware is.
Cybercriminals continue to try and get ahead of antivirus product vendors. While the PRIVATELOG Malware is making a step in this direction, it is far from being capable of evading antivirus tools with 100% success. We are yet to see what the true purpose of this implant is, but judging by the tricks it uses, it is certain that its creators have big plans for it.