Malicious activity has been seen with cybercriminals exploiting a Windows software called WerFault.exe, which is typically used for problem reporting, to malware sideload onto vulnerable Windows computers.
The malicious activity involves using WerFault.exe to download and install malicious software onto the computer, in order to gain access to the system and steal data or spread malware. This malicious activity can be avoided by ensuring that the system is updated regularly and that the latest security patches are applied. Additionally, users should be aware of suspicious activity on their computer, such as unexpected pop-ups or downloads, and take steps to investigate and remove any malicious software.
Researchers from K7 Security Labs discovered a phishing campaign, likely perpetrated by hackers from China. The attack involved sending an ISO file via email; ISO files work like a CD or DVD and cause a new drive letter to appear when they are activated.
Malware Sideload and Windows Tool
The ISO has a pristine version of WerFault.exe, plus three extra files: faultrep.dll, File.xls and Inventory & Our specialities.lnk.
To protect against this type of attack, users should always be suspicious of unexpected emails and attachments. Before opening any attachments, users should scan them with anti-virus software and research the sender to make sure they are legitimate. Additionally, users should be aware of any strange behavior on their computer, such as unexpected pop-ups or downloads, and take steps to investigate and remove any malicious software. Additionally, users should make sure their operating system and software are up to date, as this helps to protect against new and emerging threats.
The victim would initially click on the shortcut, executing the genuine WerFault.exe. As these files are unaltered, they will not set off any antivirus warnings.
WerFault.exe will attempt to locate faultrep.dll, usually a necessary part of running a program correctly. However, first it will try to find this DLL in the same folder as itself; if a malicious version is present, the technique known as “malware sideloading” will be employed to run the malware.
To protect against new and emerging threats, victims should be sure to keep their operating systems and software up to date, as well as use strong passwords, practice safe browsing, and employ the use of robust antivirus and anti-malware software. Additionally, victims should be wary of clicking on suspicious links or shortcuts, and should avoid downloading and running any unknown files. Furthermore, victims should be sure to back up their data regularly, as this can help protect against data loss due to malicious attacks.
According to K7 Security Labs, two threads will be generated by the DLL. One thread will bring the Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into the memory and another will open the decoy file (File.xls), which has no other purpose than to distract the victim while the malicious software is being installed on the endpoint.
Pupy grants adversaries complete control over the victim machine, allowing them to execute commands, pilfer any data, and traverse the network at will.
The Pupy Remote Access Trojan is a malicious software that once installed on a victim’s computer, grants the attacker complete access to the machine. It is usually spread through malicious emails or websites, and once installed, it can be used to execute commands, steal data, and traverse the network. The malicious software can be installed through a malicious DLL file, which is usually embedded in an innocuous-looking file, such as an Excel spreadsheet, in order to distract the user while the malicious software is being installed.
BleepingComputer reports that Pupy has been employed by Iranian state-sponsored APT33 and APT35 threat actors, as well as cybercriminals distributing QBot malware.
In conclusion, it is clear that cybercriminals are exploiting the Windows software, WerFault.exe, to sideload malware onto vulnerable Windows computers. It is important for computer users to be aware of the risks of this malicious activity and to exercise caution when using their computers, particularly in regards to the installation of software or updating existing software. Additionally, taking proper security measures to keep the computer safe from malware should be the priority of any user.