The fileless attack uses a phishing campaign that lures victims with information about a workers’ compensation claim.
A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is potentially the work of a Vietnamese APT group, researchers said.
The attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, according to a blog post on Tuesday by researchers Hossein Jazi and Jérôme Segura. Instead, it leads them to a malicious website that can load malware that hides in WER, they said.
“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack, followed by several anti-analysis techniques,” researchers wrote.
WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It’s also included in Windows Mobile versions 5.0 and 6.0.
The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users wouldn’t likely to suspect any nefarious activity if the service is running, they said.
“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi and Segura wrote.
The use of this evasion tactic is not new, researchers noted, and the technique suggests a connection to the Vietnamese APT32 group, also known as OceanLotus.
“APT32 is one of the actors that is known to use CactusTorch HTA to drop variants of the Denis RAT,” researchers said. Moreover, the domain used to host malicious archives and documents is registered in Ho Chi Minh City, Vietnam, which also points to APT32, researchers noted.
That said, it’s still unclear exactly who is behind the attack because researchers did not access the final payload to examine it extensively, they said.
The attack begins as a ZIP file containing a malicious document, called “Compensation.manual.doc” that threat actors distribute through spear-phishing attacks and which purports to offer information about compensation rights for workers
“Inside we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode,” researchers wrote. “CactusTorch is leveraging the DotNetToJscript technique to load a .NET compiled binary into memory and execute it from vbscript.”
The loaded payload is is a .Net DLL with “Kraken.dll” as its internal name, which injects an embedded shellcode into WerFault.exe using a technique observed previously with the NetWire RAT and the Cerber ransomware, researchers noted.
In the recent campaign, the loader has two main classes, “Kraken” and “Loader,” that together complete the process of installing a malicious payload into the WER service, they said.
The “Kraken” class contains the shellcode that will be injected into the target process defined in this class as “WerFault.exe,” researchers wrote. This class has only one function: To call the “load” function of “loader” class with shellcode and target process as parameters. Then, that loader class is what is responsible for injecting shellcode into the target process by making Windows API calls, researchers wrote.
“The final shellcode is a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process,” they said.
Researchers said that they will continue investigating the attack’s link to APT32 to try to identify with more certainty the threat actors behind the new campaign.
APT32 is a Vietnam-linked APT that has been in operation since at least 2013. Its targets are mostly located in Southeast Asia. From at least January to April, the FireEye Mandiant researchers have seen the group attacking China’s Ministry of Emergency Management, as well as the government of Wuhan province, in an apparent bid to steal intelligence regarding the country’s COVID-19 response.