Malwarebytes experts have discovered a hack group that engages in cyber-espionage and abuses the Windows Error Reporting (WER) functionality to conduct file-free attacks. In general, using WER to bypass protection is not a new tactic, but now it seems to be used by some new hack group.
The attack was noticed on September 17 this year, when analysts found phishing emails containing a malicious document in the ZIP archive. That is, the original malware was delivered to the victims’ computers through targeted phishing, where documents related to compensation were baited.
If the victim opened such a document, a malicious macro was triggered, which was responsible for executing the shell code (a special version of CactusTorch VBA module). He, in turn, used the DotNetToJscript technique and loaded a .NET palyload into the device memory. Binarnik was executed in the memory of the computer, leaving no traces on the hard disk, and implemented the shell code in WerFault.exe, the Windows service WER process.
Unfortunately, Malwarebytes’ analysts were unable to study this final paleloid, because the URL was unavailable when the researchers analyzed the attack.