The experts at Mandiant (a subsidiary of FireEye) analyzed a malicious program that uses an unusual way of storing its code in the memory of system processes. The malware dubbed as PRIVATELOG and its installer as STASHLOG use CLFS (Common Log File System) containers, the contents of which cannot be parsed using Windows tools and are rarely detected by antivirus software.

"Because the CLFS log file format is not widely used or specified in technical documentation, modern parsers do not know how to parse these files," analysts explained on the Mandiant blog. "Malicious data hidden as log records is also convenient to use."

The end goal of the authors of the new malware is still unclear for researchers and, most likely, it could still be in development.

The methods of protection against the newly emerged threat are the same as against other malware: patching of installed software in a timely manner, monitoring systems for evidence of malicious activity, using antiviruses for email protection, employee education and etc. Analysts also recommend using Mandiant's YARA rules to scan for signs of STASHLOG and PRIVATELOG infections, and regularly review EDR system logs for IoC in process, imageload, and filewrite event records.

Source: anti-malware.ru