Cybercriminals are now abusing inbuilt legitimate services of Windows to perform fileless attacks. Researchers reveal they use spear-phishing emails to spread a zip file containing a malicious document.
A new attack dubbed Kraken was identified abusing Windows Error Reporting (WER) service as an evasion mechanism.
The attackers target Windows internal service WerFault[.]exe, which is used to report an error that occurs in the Windows OS.
They first compromise a website to host their payload and use the CactusTorch framework to execute a fileless attack accompanied by multiple tricks.
After passing the anti-analysis checks, it loads the final shellcode and creates a new WER thread. The shellcode is hosted on the compromised asia-kotoba[.]net site, where it is planted as a fake favicon.
The attack could not be attributed to any known threat group as there is not enough evidence. However, researchers claim that APT32 previously used some elements used in this attack.
Cybercriminals are getting better at finding new attack techniques to exploit legitimate services, such as WER. Experts suggest users must regularly update anti-malware solutions, update Windows, and deploy a malicious behavior monitoring mechanism.