Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks. The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes. MSP threat detection provider Huntress Labs discovered an attack scenario where a threat actor with persistence on a target machine tried to run an unusual trick to carry on with their attack routine. The attacker had already gained access to the target system and achieved persistence. From this position, they used a file called “a.chk” that imitates a Windows error log for an application. The last column shows what seem to be hexadecimal values.
SOURCE: Bleeping Computer
