Cybercriminals have been reported sideloading malware (opens in new tab) on vulnerable Windows endpoints via a legitimate Windows problem reporting tool called WerFault.exe.

According to researchers at K7 Security Labs, who first discovered the campaign, hackers (presumably from China) would send a phishing email containing an ISO file. ISO is an optical disc image file that, when run, loads as a new drive letter (as if the user had loaded a CD or DVD).

In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files: a DLL file named faultrep.dll, an XLS file named File.xls, and a shortcut file named Inventory & Our specialties.lnk .

Abuse of legitimate software

The victim first clicked on the shortcut file, which would run the legitimate WerFault.exe file. Since these are clean files, they will not trigger an antivirus alert.

Next, WerFault.exe will try to load faultrep.dll, which in normal circumstances is also a legitimate file that is needed for the program to run properly. However, WerFault first looks for the file in the same directory it’s in, and if the DLL is malicious (as is the case here), it will essentially run the malware. This technique is called malware sideloading.

According to K7 Security Labs, the DLL will create two threads, one that loads the Pupy Remote Access Trojan DLL (dll_pupyx64.dll) into memory, and one that opens File.xls – a decoy file that serves no purpose other than to preoccupy the victim. while the malware loads on the endpoint.

Pupy gives attackers full access to the target device, allowing them to execute commands, steal data or move around the network as they see fit.

According to Beeping computerPupy was used by the Iranian state-sponsored threat actors APT33 and APT35, as well as hackers trying to spread the QBot malware.

Through: Beeping computer (opens in new tab)