Hackers use the Windows Problem Reporting tool (WerFault.exe) to load malware into compromised system memory using a DLL sideload method.
This Windows executable is used to covertly infect devices without any warning on a security breached system by launching malware through a legitimate Windows executable.
The new campaign was discovered by K7 Security Labs, which was unable to identify the hackers, but they are believed to be based in China.
The malware campaign starts with an email with an ISO attachment. When double-clicked, the ISO mounts as a new drive letter containing a legitimate copy of the Windows executable WerFault.exe, a DLL file ("faultrep.dll"), an XLS file ("File.xls"), and a shortcut file ("inventory & our specialities.lnk "). The victim starts the infection chain by clicking on a file shortcut that uses "scriptrunner.exe" to launch WerFault.exe.
WerFault is the standard Windows error reporting tool used in Windows 10 and 11 to allow the system to monitor and report errors related to the operating system or applications. Windows uses this tool to report an error and get suggestions for possible solutions.
Antivirus tools generally trust WerFault as it is a legitimate Windows executable signed by Microsoft, so running it on the system usually produces no warnings to alert the victim.
When WerFault.exe is launched, it uses a known DLL sideloading vulnerability to load the malicious DLL "faultrep.dll" contained in the ISO image. Typically, the "faultrep.dll" file is a legitimate DLL from Microsoft in the C:\Windows\System folder that is required for WerFault to work properly. However, the version of the malicious DLL in the ISO image contains additional code to run the malware.
The technique of creating a malicious DLL with the same name as a legitimate one so that it loads instead is called DLL sideloading. Sideloading a DLL requires the malicious version of the DLL to be in the same directory as the executable that calls it. When an executable is run, Windows gives it priority over its own DLL if it has the same name.
When a DLL is loaded in this attack, it creates two threads, one of which loads the Pupy remote access trojan DLL ('dll_pupyx64.dll') into memory, and the other one opens the included XLS spreadsheet to serve as a decoy.
Pupy RAT is a publicly available and open source malware written in Python that supports loading a reflective DLL to avoid detection and additional modules are loaded later. Malware allows attackers full access to infected devices, allowing them to execute commands, steal data, install other malware, or spread over the network.
As an open source tool, it has been used by several state-backed spy figures such as Iranian groups APT33 and APT35 because these tools make it difficult to trace attribution and ongoing work.
QBot malware distributors were seen last summer using a similar chain of attacks using the Windows Calculator to evade detection by security software.