Security Researcher discovered a new attack called Kraken that
injected its payload into the Windows Error Reporting (WER) service as a
defense evasion mechanism.
That reporting service, WerFault.exe,
is usually invoked when an error related to the operating system,
Windows features, or applications happens. When victims see WerFault.exe
running on their machine, they probably assume that some error
happened, while in this case they have actually been targeted in an
attack.
While this technique is not new, this campaign is likely
the work of an APT group that had earlier used a phishing attack
enticing victims with a worker’s compensation claim. The threat actors
compromised a website to host its payload and then used the CactusTorch
framework to perform a fileless attack followed by several anti-analysis
techniques.
At the time of writing, we could not make a clear
attribution to who is behind this attack, although some elements remind
us of the Vietnamese APT32 group.
Malicious lure: ‘your right to compensation’
On September 17, we found a new attack starting from a zip file containing a malicious document most likely distributed through spear phishing attacks.
The document “Compensation manual.doc” pretends to include information about compensation rights for workers:
IOC Details :
#Lure document: 31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942
#Archive file containing lure document:
d68f21564567926288b49812f1a89b8cd9ed0a3dbf9f670dbe65713d890ad1f4
#URL DOMAIN IOCs
yourrighttocompensation.com/ping
yourrighttocompensation.com/?rid=UNfxeHM
yourrighttocompensation.com/downloa/?key=15a50bfe99cfe29da475bac45fd16c50c60c85bff6b06e530cc91db5c710ac30&id=0
yourrighttocompensation.com/?rid=n6XThxD
yourrighttocompensation.com/?rid=AuCllLU
#Download URL for final payload:
asia-kotoba.net/favicon32.ico
Ref : https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
No comments:
Post a Comment