Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • New Attack Abused Windows Error Reporting Service to Evade Detection
  • Cyber Attacks
  • Data Breach
  • Malware

New Attack Abused Windows Error Reporting Service to Evade Detection

6 years ago David Bisson
New Attack Abused Windows Error Reporting Service to Evade Detection

Security researchers came across a new attack that abused the Windows Error Reporting (WER) service in order to evade detection.

Malwarebytes observed that the attack began with a .ZIP file containing “Compensation manual.doc.”

The security firm reasoned that those responsible for this attack had likely used spear-phishing emails to distribute the document, a file which pretended to contain information about workers’ rights.

Malicious Document (Source: Malwarebytes)

This document harbored a malicious macro that used a modified version of the CactusTorch VBA module to conduct a fileless attack by loading a .Net compiled binary into memory using VBScript to execute it.

Named “Kraken.DLL,” this binary advanced the infection chain by injecting embedded shellcode into the Windows Error Reporting service (WerFault.exe). Malwarebytes explained in its research that this tactic might have helped the attack attempt to evade detection:

WerFault.exe is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened while in this case they have actually been targeted in an attack.

The injected shellcode created a DLL that executed its malicious activity in multiple threads in order to evade detection. More than that, the DLL also performed several anti-analysis routines such as checking for the existence of a debugger and looking to see if it was running in VmWare or VirtualBox.

Assuming those checks came back negative, the loader created its final shellcode in a new thread. This shellcode, in turn, used an HTTP request to connect to a hard-coded domain, download a malicious payload and inject it into a process.

The security firm reasoned that this payload was another shellcode hosted on a compromised website. Even so, the URL was down at the time of analysis, so it couldn’t investigate further.

Malwarebytes explained that APT32 might have been behind this campaign given the fact that it’s observed the threat actor use CactusTorch HTA to drop the Denis Rat in the past.

The post ” New Attack Abused Windows Error Reporting Service to Evade Detection” appeared first on TripWire

Source:TripWire – David Bisson

Tags: APT, Encryption, Malware, Phishing, RAT, TripWire, VMWARE

Continue Reading

Previous APT Attack Injects Malware into Windows Error Reporting
Next COVID-19 Clinical Trials Slowed After Ransomware Attack

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Android Adds Intrusion Logging for Sophisticated Spyware Forensics

3 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots

21 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Webinar: What the Riskiest SOC Alerts Go Unanswered – and How Radiant Security Can Help

22 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Why Agentic AI Is Security’s Next Blind Spot

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • Android Adds Intrusion Logging for Sophisticated Spyware Forensics
  • New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
  • RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded
  • New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots
  • Webinar: What the Riskiest SOC Alerts Go Unanswered – and How Radiant Security Can Help

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT