Posted on October 8, 2020 at 4:16 PM
Two Malwarebyte researchers, Jerome Segura and Hossein Jazi revealed that an unknown hacking group is exploiting the Windows Error Reporting (WER) service using an attack technique known as Kraken.
The unknown hacking group used the technique to stay under the radar while compromising the WER system.
“On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service,” the researchers stated
The Malwarebytes researchers also said they discovered the hacking incident through the WerFault.exe reporting service, which usually comes up when there is an error related to applications, Windows features, or operating system.
Hackers used invasion and analysis technique
The researchers report also revealed that the threat actors utilized invasion and anti-analysis techniques and performed some checks for debugger or sandbox environments.
Although no information is known about the threat actors, they are likely from the APT group based on their phishing attack module with a .ZIP file attachment.
Once the user opens the malware-infested file, it triggers the macro, as the malicious code utilizes a custom version of the CactusTorch VBA to execute fileless attack.
However, the threat actor using this technique even improved the potency of the attack by modifying the macro, specifying the target process in the .Net payload.
According to the security researchers, the loader has two main classes named “Loader” and “Kraken.”
When the researchers were analyzing the attack, the malware’s hard-coded target URL wasn’t reachable, which makes it difficult to link the attack to any particular threat actor. But they have discovered some links to the APT32 cyber espionage in the hacking module.
The APT32 hacking group is a renowned hacking syndicate, which is believed to have been active since 2012. The group has attacked organizations in different industries as well as governments since it began operations. Presently, the hacking group is known as one of the most potent because their attacking threat goes across multiple industries in different governments.
Security experts have been monitoring the group, although it has tried to stay under the radar on several occasions, using different pseudonyms to conceal its operations.
The APT32 group has targeted foreign corporations with a particular interest in Vietnam’s hospitality, consumer, and manufacturing sectors.
The group also targeted technology infrastructure corporations and peripheral network security, as well as other security companies with links to foreign investors.
Based on the report by the Malabytes security researchers, the attack vector depends on malware hiding in WER-based executables to stay under the radar.
The two researchers say, although the Kraken malware is not an entirely new technique, it is a very potent technique the hackers have used to avoid detection.
CactusTorch can load a .Net binary protocol known as “Kraken.dll” to the memory, and execute VBScript. The payload adds an attached shellcode to the WerFault.exe protocol, which is a technique linked to the WER service and utilized by Microsoft for the repairs of errors in the operating system.
The hacking technique also used as crypto-stealing Cerber ransomware
According to Malwarebytes, the WerFault operating service is invoked as a result of an error relating to applications, Windows features, or operating system.
The malware can conceal itself and confuse the users not to think about any irregularities. That’s because when the targeted users see WerFault.exe running on their system, they think that there is an error, without knowing they have been targeted for attacks.
The hacking technique is not synonymous with the hackers, as cryptocurrency stealing Cerber ransomware and NetWire Remote Access Trojan (RAT) also use the technique.
The Kraken operators have gone ahead with some anti-analysis methods, allowing the DLL to carry out operations in multiple threads. It checks for debugger and sandbox environments and scanning the registry to find out if Oracle’s VirtualBox or VMWare’s virtual machines are running.
The malicious code has been programmed by the developers to terminate whenever the analysis has been discovered, making it difficult to trace back.