Attackers use the Windows Error Reporting service for fileless attacks

Attackers use the Windows Error Reporting service for fileless attacks

Malwarebytes experts have discovered a hack group that engages in cyber-espionage and abuses the Windows Error Reporting (WER) functionality to conduct file-free attacks. In general, using WER to bypass protection is not a new tactic, but now it seems to be used by some new hack group.

The attack was noticed on September 17 this year, when analysts found phishing emails containing a malicious document in the ZIP archive. That is, the original malware was delivered to the victims’ computers through targeted phishing, where documents related to compensation were baited.

If the victim opened such a document, a malicious macro was triggered, which was responsible for executing the shell code (a special version of CactusTorch VBA module). He, in turn, used the DotNetToJscript technique and loaded a .NET palyload into the device memory. Binarnik was executed in the memory of the computer, leaving no traces on the hard disk, and implemented the shell code in WerFault.exe, the Windows service WER process.

Unfortunately, Malwarebytes’ analysts were unable to study this final paleloid, because the URL was unavailable when the researchers analyzed the attack.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: