Researchers have revealed data about a new malware family that uses the Common Log File System (CLFS) to conceal a second-stage payload in registry transaction files in order to avoid detection. The malware, named PRIVATELOG, and its installer, STASHLOG, were discovered by FireEye’s Mandiant Advanced Practices team. Details about the threat actor’s identity and motivations are still unknown.
CLFS (Common Log File System) is a general-purpose logging subsystem for producing high-performance transaction logs that is available to both kernel-mode and user-mode applications. It debuted with Windows Server 2003 R2 and has since been incorporated into subsequent Windows operating systems. CLFS can be used for event logging as well as data logging. TxF and TxR employ CLFS to save transactional state changes before committing a transaction. Any integrated Windows utility will not be able to examine the Binary Log File(s) created by CLFS.