Fileless Malware Injected in Windows Error Reporting ServiceMalwarebytes Describes Defense Evasion Mechanism
Malwarebytes researchers have spotted a fresh attack tactic that involves threat actors directly injecting fileless malware into the Windows Error Reporting service as a defense evasion mechanism.
This approach may be the handiwork of an advanced persistent threat group known as "APT32," or "OceanLotus," which has ties to Vietnam, Malwarebytes says. The domain used to host some of the data is registered to Ho Chi Minh City, Vietnam, says Hossein Jazi, a senior threat researcher with Malwarebytes, and Jérôme Segura, director of threat intelligence for the security firm.
Starts With Phishing
The Malwarebytes researchers say the attack kicks off with a phishing scam that uses the subject line "Your Right to Compensation." The email contains a zip file that hosts a document labeled "Compensation manual.doc".
The document says it is encrypted and requests that the victim enable editing. When this is done, the victim is taken to a website where the fileless malware is loaded into the Windows Error Reporting system, according to the report.
The attackers use the Windows Error Reporting service because that makes the attack more difficult to detect, according to Malwarebytes. Werfault.exe, the Windows Error Reporting process of Windows 10, is used to report errors. If any application or hardware crashes in a device, then Werfault.exe makes it possible to forward the crash report to Microsoft, the researchers note.
"Inside [the document] we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode. CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript," the Malwarebytes researchers say.
The use of CactusTorch is another indicator APT32 may be behind the campaign because the group is known to use that VBA module to drop variants of the Denis remote access Trojan, according to Malwarebytes.
"However, since we were not able to get the final payload we cannot definitely attribute this attack to APT32," the researchers say (see: Vietnamese APT Group Targets BMW, Hyundai: Report).
The loaded payload is a .NET Dynamic Link Library with "Kraken.dll" as its internal name, researchers say.
"This DLL is a loader that injects an embedded shellcode into WerFault.exe. To be clear, this is not the first case of such a technique. It was observed before with the NetWire RAT and even the Cerber ransomware," Segura and Jazi note.
The researchers report that the loader has two main classes - Kraken and Loader. Kraken contains the shellcode that gets injected into the target process defined in this class as WerFault.exe.
"It only has one function that calls the Load function of Loader class with shellcode and target process as parameters. Whereas, the Loader class is responsible for injecting shellcode into the target process by making Windows API calls," the researchers note.
To perform anti-analysis checks, the hackers created multiple threads to make sure the fileless malware is not running in a sandbox environment or in a debugger. Researchers first checked the existence of a debugger by calling GetTickCount, which is a timing function that is used to measure the time needed to execute some instruction sets.
The Malwarebytes researchers note: "In this thread, it is being called two times before and after a sleep instruction and then the difference is being calculated. If it is not equal to 2, the program exits, as it identifies it is being debugged."