Another vital Windows tool is being abused to sideload malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybercriminals have been spotted sideloading malware onto vulnerable Windows endpoints through a legitimate Windows Problem Reporting tool called WerFault.exe.

According to researchers from K7 Security Labs, which first discovered the campaign, hackers (presumably from China) would send out a phishing email containing an ISO file. ISO is an optical disk image file which, when ran, would load as a new drive letter (as if the user loaded a CD or a DVD).

In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files - a DLL file named faultrep.dll, an XLS file called File.xls, and a shortcut file called Inventory & Our specialities.lnk.

Abusing legitimate software

The victim would first click the shortcut file, which would run the legitimate WerFault.exe file. Given that these are clean files, they won’t trigger any antivirus alarms. 

Then WerFault.exe will try to load faultrep.dll which, in usual circumstances, is also a legitimate file needed to run the program properly. However, WerFault will first look for the file in the same folder where it resides, and if the DLL is malicious (as is the case here), it will essentially run the malware. This technique is called malware sideloading.

As per K7 Security Labs, the DLL will create two threads, one loading Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into memory, and one that opens File.xls - a decoy file that serves no other purpose but to keep the victim busy while the malware loads on the endpoint. 

Pupy gives threat actors full access to the target device, enabling them to run commands, steal any data, or move through the network as they wish.

According to BleepingComputer, Pupy was used by Iranian state-sponsored threat actors APT33 and APT35, as well as hackers seeking to distribute the QBot malware.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.