Thursday, March 28, 2024

Hackers Abuse Windows Error Reporting (WER) Service in Fileless Malware Attack

Security researchers uncovered a new attack dubbed Kraken that uses injected its payload into the Windows Error Reporting service to evade detection.

The WerFault.exe is a service that shows some error happened with the operating system, Windows features, or applications, victims would assume some error happen, but attackers stealthy execute malware using the process.

Fileless Malware Attack

Security researchers from Malwarebytes observed a new attack with a zip file containing a malicious document dubbed “Compensation manual.doc” and it has an image tag that points to the website “yourrighttocompensation[.]com”.

Inside the malicious document file, it includes a modified version of CactusTorch(shellcode launcher) VBA module that leverages the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from VBScript.

Once it is opened by a victim it will execute the CactusTorch macro that loads the NET payload straight directly in the windows device’s memory.

The binary is executed on the window’s memory and injects embedded shellcode into the Windows process. As the binary executed on windows memory it won’t leave any traces on the hard disk.

The new maliciously created Windows Error Reporting service will before some anti-analysis checks such as not running in an analysis/sandbox environment or a debugger.

Once it feels safe after anti-analysis it decrypts and loads the final payload int he maliciously created Windows Error Reporting service. The payload is hosted on the website asia-kotoba[.]net in the name of favicon.

At the time of the report, the target URL was down, so that Malwarebytes unable to retrieve this shellcode for further analysis.

Researchers believe the attack relates to APT32, but not having enough evidence to attribute this attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

GitHub Launches Code Scanning Tool to Find Security Vulnerabilities – Available for All Users

Beware of the New Critical Zerologon Vulnerability in The Windows Server

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles