Threat actors have been seen abusing the Windows Problem Reporting tool to load malware into a compromised system’s memory via DLL sideloading. This technique allows threat actors to stealthily infect devices, as the reporting tool (WerFault.exe) is a legitimate, signed Windows executable found on all Windows systems.
The malware campaign using this technique started with a phishing email containing an ISO attachment. This ISO file contained four files: the legitimate WerFault.exe binary, a DLL file, an XLS file, and a shortcut LNK file. When the LNK file is launched, a scriptrunner.exe process is executed that is used to proxy the execution of the WerFault.exe binary. The DLL file contained within the ISO is a malicious DLL named “faultrep.dll”, which is a DLL that is loaded by WerFault.exe upon execution. The WerFault.exe process sideloads this malicious faultrep.dll, which in turn, performs two actions: loads a copy of Pupy RAT into memory and then opens the included XLS spreadsheet as a decoy. Pupy RAT is an open-source malware that allows the threat actors to gain full access to an infected device, allowing them to execute commands, steal data, install other malware, or move laterally within a network.
The threat actors behind this specific campaign are currently unidentified, but it is believed that they are based on China, due to indicators within the XLS spreadsheet.
It is highly recommended to implement and maintain email security controls, including the ability to block certain file attachments. ISO files have become extremely popular among threat actors as a way to initially get malware on to the system while also evading defenses. In this campaign, the threat actors attach the ISO directly to a phishing email received by the end user. By being able to block incoming emails that contain ISO (or IMG) attachments, an organization can help prevent campaigns like this one from being able to infect devices in the first place. It is also recommended to maintain proper security endpoint controls, such as an EDR, on all devices within an organization. EDRs may be able to detect and prevent malicious activity before it is able to completely compromise a system. In cases where prevention does not occur, detections can be created to help alert security analysts to a potential infection. The infection vector used by these threat actors contains a number of suspicious behaviors that can be alerted upon. These would include scriptrunner.exe being used to proxy the execution of an abnormal process, WerFault.exe executing from a location outside of the normal C:WindowsSystem32 directory, WerFault.exe spawning an Excel process, and WerFault.exe making consistent, outbound network requests to abnormal IP addresses. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.