[Nulled] » Information security » K7 Security Labs resellers have discovered a campaign by an unknown actor
January 16 2023

K7 Security Labs resellers have discovered a campaign by an unknown

web3 16-01-2023, 12:32 Information security 182

K7 Security Labs resellers have discovered a campaign by an unknown actor, presumably based in China, who uses Windows Problem Reporting (WerFault.exe ) to launch remote administration tools.

Hackers abuse WerFault.exe for Windows to load malware into compromised system memory using the DLL side loading method.

WerFault is a standard reporting tool in Windows 10 and 11 that allows the system to track and report errors related to the OS or applications.

This Windows executable file is used to covertly infect devices without any warnings in the system about a security breach.

The campaign begins with receiving an email with an attachment in ISO format, which contains four files: WerFault.exe , malicious DLL (faultrep.dll ) with the name faultrep.dll , a shortcut file (inventory & our specialties.lnk) and File.xls .

The victim starts a chain of infections by clicking the shortcut of the file that uses scriptrunner.exe to launch WerFault.exe .

Antivirus solutions usually trust WerFault because it is a legal Windows executable signed by Microsoft, so running it on the system usually does not cause warnings.

After its launch, a known vulnerability of side loading DLL is used to install a malicious DLL faultrep.dll .

It is a legitimate DLL required for WerFault to work properly.

However, the downloaded version of the DLL in the ISO image contains additional code to run malware.

In the process of downloading the DLL, two threads are created, one of which loads the DLL of the Puppy Remote Access Trojan (dll_pupyx64.dll ) into memory, and the other opens the included XLS spreadsheet as a decoy.

Puppy RAT is an open source cross-platform remote administration tool written in Python that supports loading a reflective DLL to avoid detection, as well as additional modules that are loaded later.

Malware allows attackers to gain full access to infected devices by executing commands, stealing data, installing other malware, and distributing it over the network.

The malware tries to establish a C2 connection in the background when the victim believes that WerFault is running.

Using this open source tool certainly makes attribution much more difficult.

However, this did not prevent researchers from mentioning that it was also used by Iranian APT33 and APT35 in espionage campaigns as early as 2013.

On the other hand, last summer it was noticed how QBot operators used a similar chain of attacks, using a Windows calculator to avoid detection.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:32
  • Publication category(s): Information security
  • Number of views of the publication: 182
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Deep Instinct recercers

Deep Instinct recercers discovered a new company using remote access Trojans (RAT) Strat and Ratty, whose

Read more
16 January 2023
Information security
Group-IB uncovered Dark

Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the

Read more
16 January 2023
Information security
In their latest report,

In their latest report, Crowdstrike report how Scattered Spider tried to implement BYOVD using an old Intel driver

Read more
16 January 2023
Information security»,Protection and hacking»,DDOS
Let's go back to Zerobot

Let's go back to Zerobot, which was originally reported by Fortinet two weeks ago. The Internet of Things (IoT)

Read more
16 January 2023
Information security
ESET announces a new

ESET announces a new StrongPity campaign, in which APT distributes a fake Shagle application, which is a Trojan

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +8 Total articles 6750
  • +19 Comments 4231
  • +39 Users : 6061