Saturday, January 23, 15:37
Home security Hackers exploit the WER service as part of a fileless malware attack

Hackers exploit the WER service as part of a fileless malware attack

Hackers posted malicious code in legitimate Windows service, Windows Error Reporting (WER), as part of a fileless malware attack. The introduction of malicious code in this service is aimed at avoid detection, according to its researchers Malwarebytes.

Hackers exploit the WER service as part of a fileless malware attack

Exploiting the WER service is not a new tactic, but according to Malwarebytes researchers Hossein Jazi and Jérôme Segura, this fileless malware attack is the work of a stranger hacking group aimed at espionage.

"The attackers violated a site to host their payload and used it CactusTorch framework to perform a fileless attack, accompanied by several techniques that prevent analysis", Explains the report.

Spear-phishing to install payload

The attack was first observed on September 17, when investigators discovered Phishing messages containing malicious document in ZIP format.

The original malicious payloads were installed on computers of targets through spear-phishing emails.

When the document is opened, it is executed shellcode via a malicious macro identified as the CactusTorch VBA module, which loads a .NET payload directly into the memory of an infected Windows device.

The binary is then run from the computer memory, without leaving traces on the hard drive, by inserting the built-in shellcode into WerFault.exe, the Windows WER service process.

Hackers exploit the WER service as part of a fileless malware attack

The same technique is used by other malicious programs (Cerber ransomware and NetWire RAT) to avoid detection.

With malicious code inserted into the Windows Error Reporting service thread, the hackers check if a debugger is being used on the target device or if the payload is running on a virtual machine or sandbox. In short, they check if detection techniques are used.

If the malware feels "secure enough" to go to the next step, it will also decrypt will load the final shellcode into a new WER thread, which will be executed in a new thread.

The final malware payload hosted on asia-kotoba [.] Net in the form of a fake favicon, will be downloaded and introduced in a new process.

Malwarebytes researchers failed to analyze the final payload.

APT32 is probably behind the fileless malware attack

Malwarebytes failed to link the attack to a specific group. However, some of the violation indicators and tactics observed indicate that they are probably behind attack Is located APT32 espionage group (also known as OceanLotus and SeaLotus) supported by the Government of Vietnam. For example, APT32 typically uses the CactusTorch VBA module to distribute variants of the Denis Rat.

Also, according to Bleeping Computer, for their hosting and distribution Phishing emails and malicious payloads used a domain (yourrighttocompensation [.] Com) registered in Ho Chi Minh City, Vietnam.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!



Elon Musk: Gives $ 100 million for best CO2 capture technology Ο Elon Musk δήλωσε χθες, στο λογαριασμό του στο Twitter, ότι σκοπεύει να δώσει 100 εκατομμύρια...

How can you unblock sites and services using a VPN?

The Internet is free and open to all. However, there are some sites and services whose content is blocked, which ...

Google Chrome: How to manage your extensions?

Google Chrome extensions can be very useful, as they improve your productivity when using the browser.

Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...

Bitcoin helps the middle class survive the pandemic

Regulators still imply that Bitcoin is just a tool for criminals, but it seems that for the middle class ...

Lightworks 2021.1 for Linux, Mac and Windows has been released

Lightworks Professional Multi-Platform Video Editing Software received the first major update to Lightworks 2021.1 for Windows, Linux and Mac.