A new fileless attack, named the “Kraken” attack, was detected by Malwarebytes security researchers on September 17th. The attack technique abuses the Microsoft Windows Error Reporting Service (WER). The attack was packaged in a lure phishing document named “Compensation manual.doc,” inside a Zip file. The file claims to contain information relating to worker compensation rights, but when opened, it triggers a malicious macro, provided that macros are enabled or the targeted user clicks “OK” to allow the macro code to run. The macro initiates a fileless attack made possible through shellcode and is able to load a .Net compiled binary called “Kraken.dll” into memory and execute it via VBScript. This payload injects an embedded shellcode payload into WerFault.exe, a process connected to the WER service and used by Microsoft to track and address operating system errors. This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency stealing Cerber ransomware. The Kraken attack has not been attributed to one APT, however security researchers believe some elements of the attack remind them of APT32.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in