Cybercriminals have been spotted carrying malware (Opens in a new tab) on vulnerable Windows endpoints through a legitimate Windows problem reporting tool called WerFault.exe.
According to researchers from K7 Security Labs, who first discovered the campaign, the hackers (presumably from China) would send a phishing email containing the ISO file. An ISO is an optical disc image file which, when booted, will be mounted as a new drive letter (as if the user had loaded a CD or DVD).
In this case, the ISO contains a clean copy of the WerFault.exe executable, but also three additional files – a DLL file called errorrep.dll, an XLS file called File.xls, and a shortcut file called Inventory & Our specialities.lnk.
Misuse of legitimate software
The victim would first click on the shortcut file, which would launch the legitimate WerFault.exe file. Since these files are clean, they will not trigger any antivirus alarms.
Then WerFault.exe will try to load errorrep.dll which, under normal circumstances, is also a legitimate file that is required for the program to run properly. However, WerFault will first look for the file in the same folder it’s in, and if it’s a malicious DLL (as is the case here), it will essentially run the malware. This technique is called malware sideloading.
According to K7 Security Labs, the DLL will create two threads, one that loads the Pupy Remote Access Trojan’s DLL (dll_pupyx64.dll) into memory, and one that opens File.xls – a decoy file that serves no other purpose than to keep the victim occupied while malware is loaded on the endpoint .
Pupy gives threat actors full access to the target device, enabling them to run commands, steal any data, or move around the network as they wish.
to me PCPupy has been used by Iranian state-sponsored threat actors APT33 and APT35, as well as hackers seeking to distribute QBot malware.
Via: BleepingComputer (Opens in a new tab)