Threat actors have been seen abusing the Windows Problem Reporting tool to load malware into a compromised system’s memory via DLL sideloading. This technique allows threat actors to stealthily infect devices, as the reporting tool (WerFault.exe) is a legitimate, signed Windows executable found on all Windows systems.
The malware campaign using this technique started with a phishing email containing an ISO attachment. This ISO file contained four files: the legitimate WerFault.exe binary, a DLL file, an XLS file, and a shortcut LNK file. When the LNK file is launched, a scriptrunner.exe process is executed that is used to proxy the execution of the WerFault.exe binary. The DLL file contained within the ISO is a malicious DLL named “faultrep.dll”, which is a DLL that is loaded by WerFault.exe upon execution. The WerFault.exe process sideloads this malicious faultrep.dll, which in turn, performs two actions: loads a copy of Pupy RAT into memory and then opens the included XLS spreadsheet as a decoy. Pupy RAT is an open-source malware that allows the threat actors to gain full access to an infected device, allowing them to execute commands, steal data, install other malware, or move laterally within a network.
The threat actors behind this specific campaign are currently unidentified, but it is believed that they are based on China, due to indicators within the XLS spreadsheet.