Reports have emerged of an unspecified threat group who were observed using a legitimate Windows Error Reporting (WER) service as part of a fileless malware attack. This campaign was identified by security researchers after they observed a series of attacks, tracked as “Kraken,” that injected its payload into the Windows Error Reporting service as part of its defense evasion mechanism.
Kraken’s attacks initially start through phishing emails that contain a malicious document encased in a ZIP archive. Once the victim opens the ZIP archive, the document will execute shellcode via the CactusTorch VBA framework module that loads a. NET payload straight into the infected Windows device’s memory. The final malware payload is hosted on the site “asia-kotoba[.]net,” and is in the form of a fake favicon, will then be downloaded and injected into a new process
At the time of writing, researchers were unable to analyze the final payload since the host URL was down. Some of the tools, techniques, and procedures (TTPs) used in this campaign are similar to that of APT32, also known as “OceanLotus,” and “SeaLotus,” a Vietnamese-state cyberespionage group; however, at the time of writing, a positive attribution has not been made.
Nuspire recommended that users be vigilant of suspicious links or documents from unknown recipients and validate the legitimacy of the email content before opening documents to minimize the risks of the attacks.
The following indicators of compromise have been identified with the Kraken campaign: