Hackers posted malicious code in legitimate Windows service, Windows Error Reporting (WER), as part of a fileless malware attack. The introduction of malicious code in this service is aimed at avoid detection, according to its researchers Malwarebytes.
Exploiting the WER service is not a new tactic, but according to Malwarebytes researchers Hossein Jazi and Jérôme Segura, this fileless malware attack is the work of a stranger hacking group aimed at espionage.
"The attackers violated a site to host their payload and used it CactusTorch framework to perform a fileless attack, accompanied by several techniques that prevent analysis", Explains the report.
Spear-phishing to install payload
The attack was first observed on September 17, when investigators discovered Phishing messages containing malicious document in ZIP format.
When the document is opened, it is executed shellcode via a malicious macro identified as the CactusTorch VBA module, which loads a .NET payload directly into the memory of an infected Windows device.
The binary is then run from the computer memory, without leaving traces on the hard drive, by inserting the built-in shellcode into WerFault.exe, the Windows WER service process.
The same technique is used by other malicious programs (Cerber ransomware and NetWire RAT) to avoid detection.
With malicious code inserted into the Windows Error Reporting service thread, the hackers check if a debugger is being used on the target device or if the payload is running on a virtual machine or sandbox. In short, they check if detection techniques are used.
If the malware feels "secure enough" to go to the next step, it will also decrypt will load the final shellcode into a new WER thread, which will be executed in a new thread.
The final malware payload hosted on asia-kotoba [.] Net in the form of a fake favicon, will be downloaded and introduced in a new process.
Malwarebytes researchers failed to analyze the final payload.
APT32 is probably behind the fileless malware attack
Malwarebytes failed to link the attack to a specific group. However, some of the violation indicators and tactics observed indicate that they are probably behind attack Is located APT32 espionage group (also known as OceanLotus and SeaLotus) supported by the Government of Vietnam. For example, APT32 typically uses the CactusTorch VBA module to distribute variants of the Denis Rat.
Also, according to Bleeping Computer, for their hosting and distribution Phishing emails and malicious payloads used a domain (yourrighttocompensation [.] Com) registered in Ho Chi Minh City, Vietnam.