Hackers are abusing the Windows Problem Reporting tool (WerFault.exe) to compromise systems, according to a report in BleepingComputer.
The attackers exploit WerFault.exe to load malware into a compromised system’s memory using a DLL sideloading technique. The legitimate Windows executable allows the hackers to operate without setting off alarms.
According to the article, the hacking campaign was spotted by K7 Security Labs, an Indian IT security firm specialising in antivirus and threat management solutions. While the K7 Threat Lab could not identify the hackers, it is believed that they are based in China.
How the attack plays out
First, the victim receives an email with an ISO attachment. As soon as the user double-clicks the attachment, the ISO mounts itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls’), and a shortcut file (‘inventory & our specialties.lnk’).
When WerFault.exe is launched, the attack exploits a known DLL sideloading flaw to load the malicious ‘faultrep.dll’ DLL contained in the ISO. DLL sideloading is a technique that involves creating malicious DLLs under the same name as legitimate DLLs to manipulate a system into loading the malicious copies.
When the DLL is loaded, it injects the Pupy DLL (‘dll_pupyx64.dll’) into memory. Pupy is a well-known remote access trojan (RAT) that allows hackers to gain full access to infected devices, execute commands, steal data, install further malware and spread laterally across a network.
QBot malware distributors were seen adopting a similar attack chain last summer, abusing the Windows Calculator to evade detection by security software.