Hackers abuse Windows error service in fileless malware attack


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
An unknown hacking group injected malicious code within the legitimate Windows Error Reporting (WER) service to evade detection as part of a fileless malware attack as discovered by Malwarebytes researchers last month.

Exploiting the WER service in attacks for defense evasion is not a new tactic but, as Malwarebytes Threat Intelligence Team researchers Hossein Jazi and Jérôme Segura said, this campaign is most likely the work of a yet unknown cyber espionage group.

"The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques," the report, shared in advance with BleepingComputer, explains.

The attack was first observed on September 17 after the researchers spotted phishing emails containing a malicious document encased in a ZIP archive.
Read more: Hackers abuse Windows error service in fileless malware attack

Full report by researchers: Release the Kraken: Fileless APT attack abuses Windows Error Reporting service - Malwarebytes Labs
Last edited: