Cybercriminals have been spotted sideloading malware onto vulnerable Windows endpoints through a legitimate Windows Problem Reporting tool called WerFault.exe.
According to researchers from K7 Security Labs, which first discovered the campaign, hackers (presumably from China) would send out a phishing email containing an ISO file. ISO is an optical disk image file which, when ran, would load as a new drive letter (as if the user loaded a CD or a DVD).
In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files - a DLL file named faultrep.dll, an XLS file called File.xls, and a shortcut file called Inventory & Our specialities.lnk.
Abusing legitimate software
The victim would first click the shortcut file, which would run the legitimate WerFault.exe file. Given that these are clean files, they won’t trigger any antivirus alarms.
Then WerFault.exe will try to load faultrep.dll which, in usual circumstances, is also a legitimate file needed to run the program properly. However, WerFault will first look for the file in the same folder where it resides, and if the DLL is malicious (as is the case here), it will essentially run the malware. This technique is called malware sideloading.
As per K7 Security Labs, the DLL will create two threads, one loading Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into memory, and one that opens File.xls - a decoy file that serves no other purpose but to keep the victim busy while the malware loads on the endpoint.
Pupy gives threat actors full access to the target device, enabling them to run commands, steal any data, or move through the network as they wish.
According to BleepingComputer, Pupy was used by Iranian state-sponsored threat actors APT33 and APT35, as well as hackers seeking to distribute the QBot malware.
- Here's our rundown of the best firewalls today
Via: BleepingComputer