Researchers have identified attackers are exploiting Windows Problem Reporting—an error reporting tool—to deliver malware to a targeted system. The embedded Windows tool allows attackers to infect the devices without raising any red flags.
How hackers abuse the tool
K7 Security Labs researchers revealed that threat actors are abusing the legitimate Windows Problem Reporting tool WerFault.exe are probably from Chinese origin.
Hackers are delivering Pupy RAT in the ongoing campaign.
The targeted victim receives an email hooked with an ISO file which, upon execution, mounts to the targeted device as a new drive.
This mounted drive carries a genuine copy of the WerFault.exe file, along with additional files - an XLS file named File.xls, a malicious DLL named faultrep.dll, and a shortcut lnk file inventory & our specialties.lnk.
What to know about WerFault
WerFault.exe is a standard tool used in Windows 10 and 11 to report errors and explore possible solutions and recommendations.
Since this executable is signed by Microsoft, launching this doesn’t trigger any flags on the victim’s device.
Similarly, faultrep.dll is the name of the legitimate DLL required for WerFault to run correctly. However, attackers use a malicious version of this DLL, which gets loaded during the execution, thus leading to DLL sideloading.
Infection chain
The infection chain starts when the user clicks on the shortcut file, which launches the WerFault.exe from the ISO while using the malicious DLL file.
The DLL creates two threads, one to load the Pupy RAT's DLL (dll_pupyx64.dll) and the other one to open a decoy XLS spreadsheet to divert the victim’s attention.
Pupy RAT tries to make a connection with the C2 in the background, while the victim remains in the disguise that WerFault is executing.
The RAT allows attackers to take control of the infected devices, including the execution of commands, stealing data, and installation of other malware.
End notes
The use of ISO files and abuse of genuine Windows tools to deliver Pupy RAT indicates that the operators of this campaign know what will keep them under the radar. To stay protected, organizations are recommended to strengthen their endpoint security and implement defense mechanisms to detect and thwart such malicious activities in the early stage.