Cyber spyware uses Windows Error Service in fileless attacks

Cyber spyware uses Windows Error Service in fileless attacks

An unidentified cybercriminal group injects malicious code into a legitimate Windows Error Reporting (WER) service as part of a dangerous fileless attack. This technique helps bypass detection by protective means.

Frankly speaking, WER operation is not such a new method, but this campaign, according to Malwarebytes specialists, is interesting for its mysterious operators.

“Criminals crack websites, put a malicious load on them, while using the CactusTorch framework to perform file-free attacks,”
– the experts write in the report.

The attackers’ operations first came to the attention of researchers on September 17. At that time, experts paid attention to phishing emails that contained malicious documents in the ZIP archive.

As a decoy, the attackers used monetary compensation. After opening the document, the CactusTorch VBA module was executed, which loaded the .NET-payload directly into the memory of the Windows device.

After that, the shellcode was injected into the WerFault.exe process (belonging to the WER system service). Of course, such an attack did not leave any traces on the hard disk of the computer.

Previously, a similar technique was used by the Cerber extortionist and NetWire Trojans. The malicious program also checked for a virtual machine or sandbox to avoid analysis by experts.

Source: anti-malware

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: