Another vital Windows tool is being abused to sideload malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybercriminals have been spotted sideloading malware onto vulnerable Windows endpoints through a legitimate Windows Problem Reporting tool called WerFault.exe.

According to researchers from K7 Security Labs, which first discovered the campaign, hackers (presumably from China) would send out a phishing email containing an ISO file. ISO is an optical disk image file which, when ran, would load as a new drive letter (as if the user loaded a CD or a DVD).

In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files - a DLL file named faultrep.dll, an XLS file called File.xls, and a shortcut file called Inventory & Our specialities.lnk.

Abusing legitimate software

The victim would first click the shortcut file, which would run the legitimate WerFault.exe file. Given that these are clean files, they won’t trigger any antivirus alarms. 

Then WerFault.exe will try to load faultrep.dll which, in usual circumstances, is also a legitimate file needed to run the program properly. However, WerFault will first look for the file in the same folder where it resides, and if the DLL is malicious (as is the case here), it will essentially run the malware. This technique is called malware sideloading.

As per K7 Security Labs, the DLL will create two threads, one loading Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into memory, and one that opens File.xls - a decoy file that serves no other purpose but to keep the victim busy while the malware loads on the endpoint. 

Pupy gives threat actors full access to the target device, enabling them to run commands, steal any data, or move through the network as they wish.

According to BleepingComputer, Pupy was used by Iranian state-sponsored threat actors APT33 and APT35, as well as hackers seeking to distribute the QBot malware.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch