A new attack discovered by Malwarebytes researchers abuses the Windows Error Reporting (WER) service as means to stay hidden from security solutions. The research team has not attributed the campaign, dubbed Kracken, to any known threat actor, but they say they have found some similarities to attacks by the Vietnamese APT32 group.
“While this technique is not new, this campaign is likely the work of an APT group that had earlier used a phishing attack enticing victims with a worker’s compensation claim. The threat actors compromised a website to host its payload and then used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques,” the report said.
The attack was first observed on September 17 after the researchers discovered phishing emails with ZIP archive containing malicious document ostensibly providing the information about compensation rights for workers. Once opened, the document will execute shellcode via a malicious macro identified as a CactusTorch VBA module which loads a .NET payload into the memory. This binary called Kraken.dll is then executed from the device’s memory, injecting embedded shellcode into the WerFault.exe, the WER service's Windows process.
The newly created Windows Error Reporting service thread containing malicious code undergoes several anti-analysis checks to determine if it's being debugged or if it's running in a virtual machine or a sandbox environment. Once the checks are passed, the malware will decrypt and load the final shellcode in a newly created WER thread, which will be executed in a new thread.
The researchers said the final malware payload is hosted on the asia-kotoba[.]net in the form of favicon, but since at the time of investigation the target URL was down they have not been able to retrieve the shellcode for further analysis.