Hackers exploit Windows Error Reporting service in new fileless attack
A new fileless attack technique that abuses the Microsoft Windows Error Reporting (WER) service is the work of a hacking group that is yet to be identified.
According to Malwarebytes security researchers Hossein Jazi and Jérôme Segura, the attack vector relies on malware burying itself in WER-based executables to avoid arousing suspicion.
In a blog post on Tuesday, the duo said the new “Kraken” attack — albeit not a completely novel technique in itself — was detected on September 17.
A lure phishing document found by the team was packaged up in a .ZIP file. Titled, “Compensation manual.doc,” the file claims to contain information relating to worker compensation rights, but when opened, is able to trigger a malicious macro.
The macro uses a custom version of the CactusTorch VBA module to spring a fileless attack, made possible through shellcode.
CactusTorch is able to load a .Net compiled binary called “Kraken.dll” into memory and execute it via VBScript. This payload injects an embedded shellcode into WerFault.exe, a process connected to the WER service and used by Microsoft to track and address operating system errors.
“That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens,” Malwarebytes says. “When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.
This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware.
The shellcode is also commanded to make an HTTP request to a hard-coded domain, likely to download additional malware.
Operators of Kraken follow up with several anti-analysis methods, including code obfuscation, forcing the DLL to operate in multiple threads, checking for sandbox or debugger environments, and scanning the registry to see if VMWare’s virtual machines or Oracle’s VirtualBox are running. The developers have programmed the malicious code to terminate if indicators are found of analysis activities.
The Kraken attack has proven to be difficult to attribute, at present. The hard-coded target URL of the malware was taken down at the time of analysis, and without this, clear markers indicating one APT or another are not possible.
However, Malwarebytes says there are some elements that reminded researchers of APT32, also known as OceanLotus, a Vietnamese APT believed to be responsible for attacks against BMW and Hyundai in 2019.