According to researchers, the fileless attack is being carried out by OceanLotus, a Vietnamese APT32 group.
Malwarebytes security researchers Jrme Segura and Hossein Jazi have identified a new fileless attack method that exploits the Microsoft Windows Error Reporting (WER) service for injecting its payload. The attack was discovered on Sep 17th, 2020 but the details of it have been only made public recently.
The duo claims that this new technique, which they dubbed the Kraken attack, could be the work of the Vietnamese APT32 group, namely OceanLotus also known as SeaLotus, Cobalt Kitty, and APT-C-00.
This group is highly sophisticated and previously made headlines for several notorious campaigns including:
PhantomLance – A malware that targeted Android users worldwide through Play Store apps.
OSX_OCEANLOTUS.D – A macOS malware that aims at infecting devices with malicious macros.
Toyota Motors breach – In April 2020, the group stole personal data of 3.1 million Toyota customers.
OceanLotus also used a phishing attack to lure victims through a similar worker compensation claim scam. In that incident, the attackers used the CactusTorch framework to carry out a fileless attack after compromising a website to host its payload.
Another reason to believe OceanLotus is involved is that the domains used to host malicious archives and documents were registered in a Vietnamese city, Ho Chi Minh.
Segura and Jazi wrote in their blog post published Tuesday that the attack vector mainly relies on malware hidden in WER-based executable files to evade detection. The technique isn’t novel in itself.
The team found a phishing document packages in a .ZIP file. This file was titled “Compensation manual.doc,” which supposedly contained information about worker compensation rights. However, when they opened this file, it triggered a malicious macro.
In this campaign, the loader has two classes, Kraken and Loader, which collectively install the malicious payload into the WER service.
“The final shellcode is a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process,” the duo wrote.
As per the researchers, the WerFault.exe reporting service is invoked when an error in the OS, Windows features, or application occurs. When a user notices WerFault.exe running on their system, they assume that an error has happened but in reality, they have become victims of a targeted attack.