It is learnt that a new fileless attack method that exploits the Microsoft Windows Error Reporting (WER) service is the handiwork of an unknown hacking group.

The attack vector, as per Malwarebytes security researchers Hossein Jazi and Jérôme Segura, hinges on malware interring itself in WER-based executables to dodge igniting doubt.

The duo said the new “Kraken” attack was spotted on September 17.

A bait phishing document discovered by the team was wrapped up in a .ZIP file. Titled, “Compensation manual.doc,” the file claims to comprise information regarding worker recompence rights, but when opened, is able to activate a malevolent macro.

“That reporting service, WerFault.exe, is typically appealed when a mistake related to the operating system, Windows features, or applications occurs,” Malwarebytes says.

“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.”

This method is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware.

The shellcode is also ordered to make an HTTP request to a hard-coded domain, expected to download extra malware.

The Kraken attack has proven to be problematic to ascribe. Nevertheless, Malwarebytes says there are some essentials that reminded investigators of APT32, also known as OceanLotus, a Vietnamese APT believed to be accountable for attacks against BMW and Hyundai in 2019.


Leave a Reply

Your email address will not be published. Required fields are marked *