Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • New Attack Abused Windows Error Reporting Service to Evade Detection
  • Cyber Attacks
  • Data Breach
  • Malware

New Attack Abused Windows Error Reporting Service to Evade Detection

5 years ago David Bisson
New Attack Abused Windows Error Reporting Service to Evade Detection

Security researchers came across a new attack that abused the Windows Error Reporting (WER) service in order to evade detection.

Malwarebytes observed that the attack began with a .ZIP file containing “Compensation manual.doc.”

The security firm reasoned that those responsible for this attack had likely used spear-phishing emails to distribute the document, a file which pretended to contain information about workers’ rights.

Malicious Document (Source: Malwarebytes)

This document harbored a malicious macro that used a modified version of the CactusTorch VBA module to conduct a fileless attack by loading a .Net compiled binary into memory using VBScript to execute it.

Named “Kraken.DLL,” this binary advanced the infection chain by injecting embedded shellcode into the Windows Error Reporting service (WerFault.exe). Malwarebytes explained in its research that this tactic might have helped the attack attempt to evade detection:

WerFault.exe is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened while in this case they have actually been targeted in an attack.

The injected shellcode created a DLL that executed its malicious activity in multiple threads in order to evade detection. More than that, the DLL also performed several anti-analysis routines such as checking for the existence of a debugger and looking to see if it was running in VmWare or VirtualBox.

Assuming those checks came back negative, the loader created its final shellcode in a new thread. This shellcode, in turn, used an HTTP request to connect to a hard-coded domain, download a malicious payload and inject it into a process.

The security firm reasoned that this payload was another shellcode hosted on a compromised website. Even so, the URL was down at the time of analysis, so it couldn’t investigate further.

Malwarebytes explained that APT32 might have been behind this campaign given the fact that it’s observed the threat actor use CactusTorch HTA to drop the Denis Rat in the past.

The post ” New Attack Abused Windows Error Reporting Service to Evade Detection” appeared first on TripWire

Source:TripWire – David Bisson

Tags: APT, Encryption, Malware, Phishing, RAT, TripWire, VMWARE

Continue Reading

Previous APT Attack Injects Malware into Windows Error Reporting
Next COVID-19 Clinical Trials Slowed After Ransomware Attack

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

7 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

9 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

9 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

13 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

16 hours ago [email protected] (The Hacker News)

Recent Posts

  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
  • Securing the Mid-Market Across the Complete Threat Lifecycle

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT