Hackers Abuse Windows Error Service In Fileless Malware Attack

An unknown hacking group injected malicious code within the legitimate Windows Error Reporting (WER) service to evade detection as part of a fileless malware attack as discovered by Malwarebytes researchers last month.

Exploiting the WER service in attacks for defense evasion is not a new tactic but, as Malwarebytes Threat Intelligence Team researchers Hossein Jazi and Jérôme Segura said, this campaign is most likely the work of a yet unknown cyber espionage group.

“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques,” the report, shared in advance with BleepingComputer, explains.

Spear-phishing used to drop the payload

The attack was first observed on September 17 after the researchers spotted phishing emails containing a malicious document encased in a ZIP archive.

Initial malicious payloads were onto the targets’ computers via spear-phishing with emails using a worker’s compensation claim as the bait.

Once opened, the document will execute shellcode via a malicious macro identified as a CactusTorch VBA module which loads a .NET payload straight into the now infected Windows device’s memory.

In the next step, this binary is executed from the computer’s memory leaving no traces on the hard drive, injecting embedded shellcode into the WerFault.exe, the WER service’s Windows process.

Also Read: 10 Practical Benefits of Managed IT Services

The same process injection technique is used by other malware to bypass detection, including both Cerber ransomware and NetWire RAT.

The newly created Windows Error Reporting service thread injected with malicious code will go through several anti-analysis checks to see if it’s being debugged or if it’s running in a virtual machine or a sandbox environment, all signs of being examined by a malware researcher.

If all checks are passed and the malware loaded feels safe enough to get to the next step, it will decrypt and load the final shellcode in a newly created WER thread, which will get executed in a new thread.

The final malware payload hosted on the asia-kotoba[.]net in the form of a fake favicon will then be downloaded and injected into a new process.

Unfortunately, Malwarebytes was unable to analyze this final payload since the host URL was down at the time the researchers analyzed the attack.

Potential APT32 fingerprints

While the Malwarebytes researchers were not able to attribute the attack to any hacking group with enough confidence, some of the indicators of compromise and tactics used point to the Vietnamese-backed APT32 cyber espionage group (also tracked as OceanLotus and SeaLotus).

One of them is the fact that APT32 is known for using the CactusTorch VBA module to drop variants of the Denis Rat in their attacks.

Sadly, Malwarebytes did not manage to obtain a copy of the final payload after investigating this attack to make a direct connection.

The other hint that could potentially link this attack to the Vietnamese hacking group is the domain (yourrighttocompensation[.]com) registered in Ho Chi Minh City, Vietnam, that was used to host and deliver the phishing document and malicious payloads.

APT32 has previously targeted “foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors” by delivering malicious attachments via spear-phishing emails according to cybersecurity firm FireEye.

They are also known to be behind targeted attacks on research institutes from all over the world, media and human rights organizations, as well as Chinese maritime construction firms. [1, 2, 3, 4, 5, 6, 7]

Also Read: Limiting Location Data Exposure: 8 Best Practices