Hackers exploit Windows Error Reporting service in new fileless attack

The Kraken attack technique abuses WER to avoid detection.

Cyberwarfare: State-backed hackers create big concerns for security professionals

A new fileless attack technique that abuses the Microsoft Windows Error Reporting (WER) service is the work of a hacking group that is yet to be identified. 

According to Malwarebytes security researchers Hossein Jazi and Jérôme Segura, the attack vector relies on malware burying itself in WER-based executables to avoid arousing suspicion.

In a blog post on Tuesday, the duo said the new "Kraken" attack -- albeit not a completely novel technique in itself -- was detected on September 17. 

See also: Researchers track hacking 'fingerprints,' link Russian attackers to Windows exploit sellers

A lure phishing document found by the team was packaged up in a .ZIP file. Titled, "Compensation manual.doc," the file claims to contain information relating to worker compensation rights, but when opened, is able to trigger a malicious macro. 

The macro uses a custom version of the CactusTorch VBA module to spring a fileless attack, made possible through shellcode. 

CactusTorch is able to load a .Net compiled binary called "Kraken.dll" into memory and execute it via VBScript. This payload injects an embedded shellcode into WerFault.exe, a process connected to the WER service and used by Microsoft to track and address operating system errors.

"That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens," Malwarebytes says. "When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack."

CNET: Amazon doubles down on Echo home security. What to know

This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware

The shellcode is also commanded to make an HTTP request to a hard-coded domain, likely to download additional malware. 

Operators of Kraken follow up with several anti-analysis methods, including code obfuscation, forcing the DLL to operate in multiple threads, checking for sandbox or debugger environments, and scanning the registry to see if VMWare's virtual machines or Oracle's VirtualBox are running. The developers have programmed the malicious code to terminate if indicators are found of analysis activities. 

TechRepublic: How to boost the effectiveness of your cybersecurity operations

The Kraken attack has proven to be difficult to attribute, at present. The hard-coded target URL of the malware was taken down at the time of analysis, and without this, clear markers indicating one APT or another are not possible. 

However, Malwarebytes says there are some elements that reminded researchers of APT32, also known as OceanLotus, a Vietnamese APT believed to be responsible for attacks against BMW and Hyundai in 2019. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0