Gandalf_The_Grey
Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 6,679
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique.
The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable.
The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.
The malware campaign starts with the arrival of an email with an ISO attachment. When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file ('faultrep.dll'), an XLS file ('File.xls'), and a shortcut file ('inventory & our specialties.lnk').
WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or applications.
Windows use the tool to report an error and receive potential solution recommendations.
Antivirus tools commonly trust WerFault as it's a legitimate Windows executable signed by Microsoft, so launching it on the system won't usually trigger alerts to warn the victim.
When WerFault.exe is launched, it will use a known DLL sideloading flaw to load the malicious 'faultrep.dll' DLL contained in the ISO.
Hackers abuse Windows error reporting tool to deploy malware
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique.
www.bleepingcomputer.com