Security researchers just uncovered a new fileless attack that exploits Microsoft Windows Error Reporting (WER).
The hacking group behind the so-called Kraken attack is yet to be identified.
Security researchers Hossein Jazi and Jérôme Segura say that the attack relies on malware hiding in WER-based executables. This way it remains unnoticed without creating any suspicion.
The Kraken Fileless Attack Explained
The attack is initiated by a luring phishing document in a .ZIP file, titled “Compensation manual.doc.” As seen in plenty of phishing attacks, the document claims to contain information about employee compensation rights. However, if an employee of an organization opens it, they will trigger a malicious macro. Enabling macros is one of the oldest tricks in phishing-based malicious campaigns.
In this case, the macro utilizes a custom version of the CactusTorch VBA module which initiates a fileless attack through shellcode. CactusTorch then downloads a .Net-compiled binary, dubbed Kraken.dll, which is loaded into memory and executed via VBScript. The payload injects an embedded shellcode in the WerFault.exe file, which is connected to the WER Microsoft service. The shellcode also makes an HTTP request to a hard-coded domain, perhaps done to download additional malware.
“Windows Error Reporting (WER) is a flexible event-based feedback infrastructure designed to gather information about the hardware and software problems that Windows can detect, report the information to Microsoft, and provide users with any available solutions,” Microsoft says.
Usually, when a Windows user sees the WerFault.exe running, they may think that some error occurred. However, in this particular case, the execution of this file means a targeted malware attack. It is noteworthy that the same technique has been deployed by NetWire RAT and Cerber ransomware.
Other malicious activities seen in this fileless campaign include code obfuscation, DLL operating in multiple threads, probing for sandbox and debugger environments, and scanning the registry for available VMWare virtual machines or Oracle VirtualBox. Also, if any analysis activities are located, they will be terminated.
Unknown attackers are behind the Kraken fileless attacks
Because the hard-coded target URL of the malware was taken down while the researchers were doing the analysis, it is currently impossible to attribute the attack to a particular threat group. However, some elements of the Kraken attack are reminiscent of OceanLotus, a Vietnamese APT group.
The OceanLotus malware ihas been focused on infecting specific networks in targeted attack campaigns. The criminal collective behind it carries out campaigns against both corporate businesses and government agencies in Asia: Laos, Cambodia, Vietnam, and the Philippines. What is known about these particular attacks is that they are orchestrated by a very experienced hacking group.
Why fileless malware?
The idea behind fileless malware is simple: if tools already exist on a device, such as PowerShell.exe, to fulfill an attacker’s objectives, then why drop custom tools that could be flagged as malware? If a cybercriminal can take over a process, run code in its memory space, and then use that code to call tools that are already on a device, the attack becomes stealthy and nearly impossible to detect.