welcome to netwrkspider

Wednesday, October 7, 2020

Kraken | Fileless APT attack abuses Windows Error Reporting service | IOCs Details

 

Security Researcher discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.

That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.

While this technique is not new, this campaign is likely the work of an APT group that had earlier used a phishing attack enticing victims with a worker’s compensation claim. The threat actors compromised a website to host its payload and then used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.

At the time of writing, we could not make a clear attribution to who is behind this attack, although some elements remind us of the Vietnamese APT32 group.

Malicious lure: ‘your right to compensation’

On September 17, we found a new attack starting from a zip file containing a malicious document most likely distributed through spear phishing attacks.

The document “Compensation manual.doc” pretends to include information about compensation rights for workers:

 

 

 

 IOC Details : 


#Lure document: 31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942

#Archive file containing lure document:
d68f21564567926288b49812f1a89b8cd9ed0a3dbf9f670dbe65713d890ad1f4

#URL DOMAIN IOCs
yourrighttocompensation.com/ping
yourrighttocompensation.com/?rid=UNfxeHM
yourrighttocompensation.com/downloa/?key=15a50bfe99cfe29da475bac45fd16c50c60c85bff6b06e530cc91db5c710ac30&id=0
yourrighttocompensation.com/?rid=n6XThxD
yourrighttocompensation.com/?rid=AuCllLU

#Download URL for final payload:
asia-kotoba.net/favicon32.ico
 
Ref : https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/