An unidentified group of hackers injected malicious code within the legitimate Windows Error Reporting (WER) service to evade detection as part of a fileless malware attack as discovered by various researchers. However, it is not a new tactic to attack the WER service for defense evasion.
This fileless malware has been dubbed as “Kraken”.
A website is compromised by the threat actors to host its payload and use the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.
Use of Spear Phishing to drop the Payload
The attack was first noticed in the month of September after the researchers spotted phishing emails containing a malicious document encased in a ZIP archive.
Initial malicious payloads were onto the targets’ computers via spear-phishing with emails using a worker’s compensation claim as the bait.
The document will execute shellcode via a malicious macro once opened. This macro is identified as a CactusTorch VBA module which loads a .NET payload straight into the now infected Windows device’s memory.
Leaving no traces on the hard drive, injecting embedded shellcode into the WerFault.exe, the WER service’s Windows process, this binary is executed from the computer’s memory as the next step.
The same process injection technique is used by other malware to bypass detection, including both Cerber ransomware and NetWire RAT.
Injected with malicious code, the newly created Windows Error Reporting service will go through several anti-analysis checks to see if it’s being debugged or if it’s running in a virtual machine or a sandbox environment, all signs of being examined by a malware researcher.
Given all the security checks are passed and the loaded malware feels safe enough to get to the next step, it will decrypt and load the final shellcode in a newly created WER thread, which will get executed in a new thread.
The final malware payload hosted on the asia-kotoba[.]net in the form of a fake favicon will then be downloaded and injected into a new process.
Footsteps of a known foe.
While the attacks were not able to attribute the attack to any hacking group with enough confidence, some of the indicators of compromise and tactics used point to the APT32 cyberespionage group.
This threat group is also called as OceanLotus or SeaLotus.
The link is formed since the fact that APT32 is known for using the CactusTorch VBA module to drop variants of the Denis Rat in their attacks.
The other hint that could potentially link this attack to the APT group is the domain (yourrighttocompensation[.]com) registered in Ho Chi Minh City, Vietnam, that was used to host and deliver the phishing document and malicious payloads.
APT32 has previously targeted foreign organizations that have invested in businesses based in Vietnam by delivering malicious attachments via spear-phishing emails.
To read more, please check eScan Blog