A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is potentially the work of a Vietnamese APT group, researchers said.
The attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, according to a blog post on Tuesday by researchers Hossein Jazi and Jérôme Segura. Instead, it leads them to a malicious website that can load malware that hides in WER, they said.
“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack, followed by several anti-analysis techniques,” researchers wrote.
WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It’s also included in Windows Mobile versions 5.0 and 6.0.
The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users wouldn’t likely to suspect any nefarious activity if the service is running, they said.
“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi and Segura wrote.
The use of this evasion tactic is not new, researchers noted, and the technique suggests a connection to the Vietnamese APT32 group, also known as OceanLotus.
“APT32 is one of the actors that is known to use CactusTorch HTA to drop variants of the Denis RAT,” researchers said. Moreover, the domain used to host malicious archives and documents is registered in Ho Chi Minh City, Vietnam, which also points to APT32, researchers noted.
That said, it’s still unclear exactly who is behind the attack because researchers did not access the final payload to examine it extensively, they said.
The attack begins as a ZIP file containing a malicious document, called “Compensation.manual.doc” that threat actors distribute through spear-phishing attacks and which purports to offer information about compensation rights for workers
“Inside we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode,” researchers wrote. “CactusTorch is leveraging the DotNetToJscript technique to load a .NET compiled binary into memory and execute it from vbscript.”
#malware #web security #apt #apt32 #campaign #cyberattack #detection evasion #fileless malware #injection #kraken #malware #malwarebytes #nation state #oceanlotus #vietnam #vietnamese #windows error reporting #workers's compensation
