Hackers abuse Windows error reporting tool to deploy malware

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,612
Content source
https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique.

The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable.

The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.

The malware campaign starts with the arrival of an email with an ISO attachment. When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file ('faultrep.dll'), an XLS file ('File.xls'), and a shortcut file ('inventory & our specialties.lnk').

WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or applications.

Windows use the tool to report an error and receive potential solution recommendations.

Antivirus tools commonly trust WerFault as it's a legitimate Windows executable signed by Microsoft, so launching it on the system won't usually trigger alerts to warn the victim.

When WerFault.exe is launched, it will use a known DLL sideloading flaw to load the malicious 'faultrep.dll' DLL contained in the ISO.
Click to expand...
www.bleepingcomputer.com

Hackers abuse Windows error reporting tool to deploy malware

Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: NoVirusThanks, vtqhtr413, silversurfer and 14 others
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
You should always disable Windows Error Reporting in services. Ii's been abuse by NSA and Now other APT groups for years. But the question is does this stop WerFault.exe from running or being vulnerable to sideloading? I'm not sure why it's needed these days, don't they have enough telemetry now through other means?
 
Last edited:
  • Like
  • Applause
Reactions: vtqhtr413, Stopspying, plat and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,156
Zero Knowledge said:
You should always disable Windows Error Reporting in services. Ii's been abuse by NSA and Now other APT groups for years. But the question is does this stop WerFault.exe from running or being vulnerable to sideloading?
Click to expand...
No, it does not. You can even delete WerFault.exe from Windows. The attack uses WerFault.exe from the ISO.
There are thousands of signed executables vulnerable to DLL hijacking (when system DLL is used) and much more when a usual DLL sideloading is abused.
 
Last edited:
  • Like
  • Thanks
Reactions: Guilhermesene, vtqhtr413, Stopspying and 5 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Interesting sample, tested with OSArmor (Basic Protection profile):

osa-test-werfault.png


And in case I disable the "Block execution of suspicious command-line string" rule, it is blocked by another rule:

osa-test-werfault2.png
 
  • Like
  • Applause
  • +Reputation
Reactions: Stopspying, ForgottenSeer 69673, simmerskool and 7 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
QBot malware abuses Windows WordPad EXE to infect devices
Replies
2
Views
866
News Archive
Kongo
Kongo
MuzzMelbourne
    • Like
APT37 hackers deploy new FadeStealer eavesdropping malware
Replies
1
Views
1,102
News Archive
Stenographers
Stenographers
CyberTech
    • +Reputation
    • Like
Malicious NuGet packages abuse MSBuild to install malware
Replies
0
Views
456
News Archive
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top