BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Hackers use Windows error reporting tool for malware


    Hackers use the Windows Problem Reporting tool (WerFault.exe) to load malware into compromised system memory using a DLL sideload method.

    This Windows executable is used to covertly infect devices without any warning on a security breached system by launching malware through a legitimate Windows executable.

    The new campaign was discovered by K7 Security Labs, which was unable to identify the hackers, but they are believed to be based in China.

    The malware campaign starts with an email with an ISO attachment. When double-clicked, the ISO mounts as a new drive letter containing a legitimate copy of the Windows executable WerFault.exe, a DLL file ("faultrep.dll"), an XLS file ("File.xls"), and a shortcut file ("inventory & our specialities.lnk "). The victim starts the infection chain by clicking on a file shortcut that uses "scriptrunner.exe" to launch WerFault.exe.

    WerFault is the standard Windows error reporting tool used in Windows 10 and 11 to allow the system to monitor and report errors related to the operating system or applications. Windows uses this tool to report an error and get suggestions for possible solutions.

    Antivirus tools generally trust WerFault as it is a legitimate Windows executable signed by Microsoft, so running it on the system usually produces no warnings to alert the victim.

    When WerFault.exe is launched, it uses a known DLL sideloading vulnerability to load the malicious DLL "faultrep.dll" contained in the ISO image. Typically, the "faultrep.dll" file is a legitimate DLL from Microsoft in the C:\Windows\System folder that is required for WerFault to work properly. However, the version of the malicious DLL in the ISO image contains additional code to run the malware.

    The technique of creating a malicious DLL with the same name as a legitimate one so that it loads instead is called DLL sideloading. Sideloading a DLL requires the malicious version of the DLL to be in the same directory as the executable that calls it. When an executable is run, Windows gives it priority over its own DLL if it has the same name.

    When a DLL is loaded in this attack, it creates two threads, one of which loads the Pupy remote access trojan DLL ('dll_pupyx64.dll') into memory, and the other one opens the included XLS spreadsheet to serve as a decoy.

    Pupy RAT is a publicly available and open source malware written in Python that supports loading a reflective DLL to avoid detection and additional modules are loaded later. Malware allows attackers full access to infected devices, allowing them to execute commands, steal data, install other malware, or spread over the network.

    As an open source tool, it has been used by several state-backed spy figures such as Iranian groups APT33 and APT35 because these tools make it difficult to trace attribution and ongoing work.

    QBot malware distributors were seen last summer using a similar chain of attacks using the Windows Calculator to evade detection by security software.

    Author DeepWeb
    Attackers are actively exploiting a critical vulnerability in CWP
    0-day vulnerability affected SugarCRM servers

    Comments 0

    Add comment