Security Alerts Windows Error Service Abused in Fileless Malware Attacks

Wednesday, Oct 7, 2020

Reports have emerged of an unspecified threat group who were observed using a legitimate Windows Error Reporting (WER) service as part of a fileless malware attack. This campaign was identified by security researchers after they observed a series of attacks, tracked as “Kraken,” that injected its payload into the Windows Error Reporting service as part of its defense evasion mechanism.

Kraken’s attacks initially start through phishing emails that contain a malicious document encased in a ZIP archive. Once the victim opens the ZIP archive, the document will execute shellcode via the CactusTorch VBA framework module that loads a. NET payload straight into the infected Windows device’s memory. The final malware payload is hosted on the site “asia-kotoba[.]net,” and is in the form of a fake favicon, will then be downloaded and injected into a new process

At the time of writing, researchers were unable to analyze the final payload since the host URL was down. Some of the tools, techniques, and procedures (TTPs) used in this campaign are similar to that of APT32, also known as “OceanLotus,” and “SeaLotus,” a Vietnamese-state cyberespionage group; however, at the time of writing, a positive attribution has not been made.

Nuspire recommended that users be vigilant of suspicious links or documents from unknown recipients and validate the legitimacy of the email content before opening documents to minimize the risks of the attacks.

The following indicators of compromise have been identified with the Kraken campaign:

Hashes:
31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942
15a50bfe99cfe29da475bac45fd16c50c60c85bff6b06e530cc91db5c710ac30
d68f21564567926288b49812f1a89b8cd9ed0a3dbf9f670dbe65713d890ad1f4

Domains:
yourrighttocompensation[.]com
asia-kotoba[.]net