An unidentified hacker group injects malicious code into a legitimate Windows Error Reporting (WER) service to bypass detection in fileless cyber attacks.
The use of WER in malicious operations is nothing new, but as noted by Malwarebytes experts Hossein Jazi and Jérôme Segura, the campaign is the work of an unknown cyber espionage group. According to experts, for hosting the payload, the attackers compromised a certain site and, using the CactusTorch framework, carried out a fileless cyber attack on an unnamed victim.
The attack was discovered on September 17 this year, when researchers identified phishing emails with a malicious document in a ZIP archive disguised as a claim for employee compensation. After opening the document, a shell code was executed using the malicious CactusTorch VBA macro, which loads the .NET payload directly into the memory of the attacked Windows device.
The malware then executed from the computer's memory, leaving no traces on the hard drive, and injected shell code into WerFault.exe, a WER service process. Then the new WER thread, into which the malicious code was injected, went through several anti-analysis checks to see if it was being debugged, running in a virtual machine or in a sandbox. In other words, the malware made sure that it was not being studied by information security experts.
If all checks were successful, the malware proceeded to the next step - it decrypted and loaded the final shell code in a new WER thread, which was then executed in a new thread. Then the final payload, stored on the asia-kotoba [.] Site in the form of a fake favicon, was downloaded and injected into a new process.
While researchers find it difficult to say with certainty who is behind the new attacks, indicators of compromise point to the Vietnamese cyber espionage group APT32 (other names OceanLotus and SeaLotus).