Hackers Used Windows Error Reporting Service To Generate New Fileless Attack

fileless attack

Hackers were able to exploit a new fileless attack abusing Microsoft Windows Error Reporting (WER) service, the hacker group is still unknown and their entire exploit process is yet to be unveiled.

According to Malwarebytes security researchers Hossein Jazi and Jérôme Segura, the attack vector relies on malware burying itself in WER-based executables in order to avoid arousing suspicion.

In a blog post on Tuesday, the duo said the new “Kraken” attack — although not a completely novel technique inherently — was detected on September 17. 

A lure phishing document found by the team was packaged up in a .ZIP file. Titled, “Compensation manual.doc,” the file appears to hold information relating to worker compensation rights, however, when opened, is able to trigger a malicious macro, according to the details

The macro uses a custom version of the CactusTorch VBA module to generate a fileless attack, made possible through shellcode. 

CactusTorch is able to load a .Net compiled binary called “Kraken.dll” into memory and execute it via VBScript. This payload injects an embedded shellcode into WerFault.exe, a process connected to the WER service, and used by Microsoft to track and address operating system errors.

“That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens,” Malwarebytes says. “When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.”

This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware. The shellcode is also commanded to make an HTTP request to a hard-coded domain, likely to download additional malware. 

Operators of Kraken follow up with several anti-analysis methods, including code obfuscation, forcing the DLL to operate in multiple threads, checking for sandbox or debugger environments, and scanning the registry to see if VMWare’s virtual machines or Oracle’s VirtualBox are running. The developers have programmed the malicious code to terminate if indicators are found of analysis activities. 

The Kraken attack is quite difficult to attribute, currently. The hard-coded target URL of the malware was taken down at the time of analysis, and without it, clear markers indicating one APT or another are not possible.  However, According to Malwarebytes, there are some elements that have recalled researchers of APT32, aka OceanLotus, a Vietnamese APT believed to be responsible for cyberattacks against car manufacturers BMW and Hyundai in 2019.