Kraken fileless attack technique abuses Microsoft Windows Error Reporting (WER)

An unidentified group of hackers is using a new fileless attack technique, dubbed Kraken, that abuses the Microsoft Windows Error Reporting (WER).

Malwarebytes researchers Hossein Jazi and Jérôme Segura have documented a new fileless attack technique, dubbed Kraken, that abuses the Microsoft Windows Error Reporting (WER) service. The hacking technique was employed by an unidentified hacking group to avoid detection.

“On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.” states the blog post published by Malwarebytes.

“That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens.”

Threat actors employed anti-analysis and evasion techniques, including, code obfuscation and performing some checks for sandbox or debugger environments.

The threat actor that employed the Kraken technique, likely an APT group, launched a phishing attack that used messages with a .ZIP file attachment.

The .ZIP archive, titled, “Compensation manual.doc,” claims to contain information relating to worker compensation rights.

Upon opening the document, a macro is triggered, the malicious code uses a custom version of the CactusTorch VBA module to perform a fileless attack.

Unlike CactusTorch VBA that specifies the target process to inject the payload into it within the macro, but the threat actor behind this campaign modified the macro and specified the target process within the .Net payload.

The payload loaded is a .Net DLL internally named “Kraken.dll” and compiled on 2020-06-12.

This DLL acts as a loader that injects an embedded shellcode into WerFault.exe. According to the experts the loader has two main classes named “Kraken” and “Loader“.

The last shellcode in the attack chain is composed of a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process.

At the time of the analysis, the hard-coded target URL of the malware was not reachable making it impossible to attribute the Kraken technique to a specific threat actor. However, Malwarebytes researchers have found some links with APT32, which is a Vietnam-linked cyberespionage group.

The APT32 group has been active since at least 2012, it has targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Malwarebytes’s report includes Indicators of Compromise (IoCs).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Kraken)

[adrotate banner=”5″]

[adrotate banner=”13″]