A new fileless attack, named the “Kraken” attack, was detected by Malwarebytes security researchers on September 17th. The attack technique abuses the Microsoft Windows Error Reporting Service (WER). The attack was packaged in a lure phishing document named “Compensation manual.doc,” inside a Zip file. The file claims to contain information relating to worker compensation rights, but when opened, it triggers a malicious macro, provided that macros are enabled or the targeted user clicks “OK” to allow the macro code to run. The macro initiates a fileless attack made possible through shellcode and is able to load a .Net compiled binary called “Kraken.dll” into memory and execute it via VBScript. This payload injects an embedded shellcode payload into WerFault.exe, a process connected to the WER service and used by Microsoft to track and address operating system errors. This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency stealing Cerber ransomware. The Kraken attack has not been attributed to one APT, however security researchers believe some elements of the attack remind them of APT32.
APT32, also known as OceanLotus, is a Vietnamese APT that has been active since at least 2014. They have targeted multiple private sector industries as well as foreign governments. It is believed they are responsible for attacks against BMW and Hyundai in 2019. Defenders should monitor for unusual behavior from processes to detect stealthy attacks such as this one. For example, if WerFault.exe is responsible for initiating network connections to non-Microsoft domain names or IP addresses, that’s a very suspicious event that should be detected and quickly investigated.