An unidentified cybercriminal group injects malicious code into a legitimate Windows Error Reporting (WER) service as part of a dangerous fileless attack. This technique helps bypass detection by protective means.
Frankly speaking, WER operation is not such a new method, but this campaign, according to Malwarebytes specialists, is interesting for its mysterious operators.
“Criminals crack websites, put a malicious load on them, while using the CactusTorch framework to perform file-free attacks,”
– the experts write in the report.
The attackers’ operations first came to the attention of researchers on September 17. At that time, experts paid attention to phishing emails that contained malicious documents in the ZIP archive.
As a decoy, the attackers used monetary compensation. After opening the document, the CactusTorch VBA module was executed, which loaded the .NET-payload directly into the memory of the Windows device.
After that, the shellcode was injected into the WerFault.exe process (belonging to the WER system service). Of course, such an attack did not leave any traces on the hard disk of the computer.
Previously, a similar technique was used by the Cerber extortionist and NetWire Trojans. The malicious program also checked for a virtual machine or sandbox to avoid analysis by experts.