A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is possibly the work of a Vietnamese APT group, researchers suggested.
The file-less attack uses a phishing campaign that tempts victims with information about a workers’ compensation claim.
Malwarebytes
This attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, says a blog post on Tues. by researchers Hossein Jazi & Jérôme Segura.
Instead, it leads them to a malicious website that can load malware that hides in WER, they commented.
Cactus Torch
“The threat actors compromised a website to host its payload & used the Cactus Torch framework to perform a file-less attack, followed by several anti-analysis techniques,” researchers wrote.
WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It is also included in Windows Mobile versions 5.0 & 6.0.
The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users would not be likely to suspect any nefarious activity if the service is running, they observed.
WerFault.exe
“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi & Segura wrote.
The use of this tactic is hardly new, researchers said, & the technique suggests a connection to the Vietnamese APT32 group, also known as Ocean Lotus.
“APT32 is one of the actors that is known to use Cactus Torch HTA to drop variants of the Denis RAT,” researchers explained. Moreover, the domain used to host malicious archives & documents is registered in Ho Chi Minh City, Vietnam, which also suggests APT32, researchers noted.
ZIP file
It is still not clear exactly who is behind the attack, because researchers did not access the final payload to examine it extensively, they outlined.
The attack begins as a ZIP file containing a malicious document, called “Compensation.manual.doc” that threat players distribute through spear-phishing attacks, & which pretends to offer information on compensation rights for workers
“Inside we see a malicious macro that uses a modified version of Cactus Torch VBA module to execute its shellcode,” researchers wrote. “Cactus Torch is using the DotNetToJscript technique to load a .NET compiled binary into memory & execute it from vbscript.”
Kraken.dll
The payload is a .Net DLL with “Kraken.dll” as its internal name, which injects an embedded shellcode into WerFault.exe using a technique observed previously with the NetWire RAT & the Cerber ransomware, researchers noted.
In this campaign, the loader has 2 major classes, “Kraken” & “Loader,” that together complete the process of installing a malicious payload into the WER service, they further explained.
The “Kraken” class contains the shellcode that will be injected into the target process defined in this class as “WerFault.exe,” researchers wrote.
Shellcode
This class has only 1 function: To call the “load” function of “loader” class with shellcode & target process as parameters. Then, that loader class is responsible for injecting shellcode into the target process by making Windows API calls, researchers wrote.
“The final shellcode is a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process,” they stated.
APT32
Researchers further explained that they will continue investigating the attack’s link to APT32 to try to identify with more certainty the threat players behind the new campaign.
APT32 is a Vietnam-linked APT that has been around since at least 2013.
Its targets are mostly in SE Asia. From at least Jan. to April, the FireEye Mandiant researchers have seen the group attacking China’s Ministry of Emergency Management, as well as the govt. of Wuhan Province, in an attempt to steal intelligence about the country’s COVID-19 response.
