Another vital Windows tool is being abused to sideload malware

Hackers abuse Windows error reporting tool to deploy malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have been spotted sideloadingmalwareonto vulnerable Windows endpoints through a legitimate Windows Problem Reporting tool called WerFault.exe.

According to researchers from K7 Security Labs, which first discovered the campaign, hackers (presumably from China) would send out a phishing email containing an ISO file. ISO is an optical disk image file which, when ran, would load as a new drive letter (as if the user loaded a CD or a DVD).

In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files - a DLL file named faultrep.dll, an XLS file called File.xls, and a shortcut file called Inventory & Our specialities.lnk.

Abusing legitimate software

The victim would first click the shortcut file, which would run the legitimate WerFault.exe file. Given that these are clean files, they won’t trigger anyantivirusalarms.

Then WerFault.exe will try to load faultrep.dll which, in usual circumstances, is also a legitimate file needed to run the program properly. However, WerFault will first look for the file in the same folder where it resides, and if the DLL is malicious (as is the case here), it will essentially run the malware. This technique is called malware sideloading.

Criminals hijack antivirus software to deliver malware>Android apps are being “poisoned” by this awful malware>Here’s our rundown of the best endpoint protection software today

As per K7 Security Labs, the DLL will create two threads, one loading Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into memory, and one that opens File.xls - a decoy file that serves no other purpose but to keep the victim busy while the malware loads on the endpoint.

Pupy gives threat actors full access to the target device, enabling them to run commands, steal any data, or move through the network as they wish.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

According toBleepingComputer, Pupy was used by Iranian state-sponsored threat actors APT33 and APT35, as well as hackers seeking to distribute the QBot malware.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption