K7 Security Labs resellers have discovered a campaign by an unknown actor, presumably based in China, who uses Windows Problem Reporting (WerFault.exe ) to launch remote administration tools.
Hackers abuse WerFault.exe for Windows to load malware into compromised system memory using the DLL side loading method.
WerFault is a standard reporting tool in Windows 10 and 11 that allows the system to track and report errors related to the OS or applications.
This Windows executable file is used to covertly infect devices without any warnings in the system about a security breach.
The campaign begins with receiving an email with an attachment in ISO format, which contains four files: WerFault.exe , malicious DLL (faultrep.dll ) with the name faultrep.dll , a shortcut file (inventory & our specialties.lnk) and File.xls .
The victim starts a chain of infections by clicking the shortcut of the file that uses scriptrunner.exe to launch WerFault.exe .
Antivirus solutions usually trust WerFault because it is a legal Windows executable signed by Microsoft, so running it on the system usually does not cause warnings.
After its launch, a known vulnerability of side loading DLL is used to install a malicious DLL faultrep.dll .
It is a legitimate DLL required for WerFault to work properly.
However, the downloaded version of the DLL in the ISO image contains additional code to run malware.
In the process of downloading the DLL, two threads are created, one of which loads the DLL of the Puppy Remote Access Trojan (dll_pupyx64.dll ) into memory, and the other opens the included XLS spreadsheet as a decoy.
Puppy RAT is an open source cross-platform remote administration tool written in Python that supports loading a reflective DLL to avoid detection, as well as additional modules that are loaded later.
Malware allows attackers to gain full access to infected devices by executing commands, stealing data, installing other malware, and distributing it over the network.
The malware tries to establish a C2 connection in the background when the victim believes that WerFault is running.
Using this open source tool certainly makes attribution much more difficult.
However, this did not prevent researchers from mentioning that it was also used by Iranian APT33 and APT35 in espionage campaigns as early as 2013.
On the other hand, last summer it was noticed how QBot operators used a similar chain of attacks, using a Windows calculator to avoid detection.