 |
| Hackers exploit an important Windows tool to spread malware |
An information security company has discovered that hackers are abusing the Windows Problem Reporting Tool (WerFault.exe) to load malware into the memory of infected systems using downloaded .DLL files.
K7 Security Labs stated that the purpose of using the WerFault.exe Windows executable is to run malware through legitimate Windows executables, thus surreptitiously infecting devices without triggering an alert on the infected system.
The company that disclosed the new activity has not been able to identify the hackers, but they are believed to be based in China.
K7 Security Labs reported that the malware campaign began with an email with an ISO attachment. Double-clicking it will mount the same ISO file as a new drive letter containing legitimate copies of the Windows executables WerFault.exe, errorrep.dll, and File.xls (stock and our Specialty.lnk).
As soon as you click on the shortcut file (scriptrunner.exe) to run the WerFault.exe file, the victim's system becomes infected with the virus. Note (WerFault) is the standard Windows error reporting tool used in Windows 10 and Windows 11 that allows the system to track and report errors related to the operating system or applications. The system uses the tool to report errors and get suggestions for possible solutions.
WerFault is generally trusted by antivirus tools because it is a legitimate Windows executable program licensed by Microsoft. Therefore, running on the system usually does not alert victims.
Once launched, WerFault.exe uses a known sideloading bug DLL to load a malicious file (errorrep.dll) located in the ISO file.
Errorrep.dll is usually a legitimate DLL located in the folder (C:\Windows\System) that WerFault needs to function properly. However, the malicious DLL in the ISO contains additional code to run the malware.
The technology for creating a malicious DLL with the same name as a legitimate library and its sideloading is called DLL sideloading.
Sideloading a DLL file requires that a malicious version of the DLL file be in the same directory as the executable file that is called. Once the executable file is launched, Windows takes precedence over its original DLL file as long as it has the same name.
This attack creates two paths by downloading the malicious DLL file, one that loads the DLL file (Pupy Remote Access Trojan-dll_pupyx64.dll) into memory and the other that opens the attached XLS spreadsheet as a decoy.
Pupy RAT is an open source, publicly available Python malicious file that supports loading mirror DLLs to avoid detection and download additional modules later.
Malware gives hackers full access to infected devices, allowing them to run commands, steal data, install more malware, or spread across the network.
As an open source tool, it has been used by many state-backed espionage actors such as the APT33 and APT35 groups in Iran due to these tools making attribution difficult.
Last summer, malware distributor QBot was caught in a similar string of attacks, hijacking Windows computers to avoid detection by security software.