- Threat actors are now abusing the legitimate Windows WerFault.exe reporting capability using a new method to execute a RAT named Pupy.
- Pupy is an open-source multi-platform remote access trojan (RAT) utilized by advanced persistent threat (APT) groups.
- Dynamic-link library (DLL) side-loading is an increasingly popular cyber attack method that takes advantage of how Microsoft Windows applications handle DLLs.
Threat actors have used a new technique to abuse the Windows WerFault.exe reporting feature. Werfault is the system in charge of monitoring the logging and reporting of application issues to help users. It is a step in the reporting procedure for errors. While the WerFault.exe is a legitimate Windows service, the threat actors use it to execute a remote access trojan.
Here is how it works
An ISO image was recently discovered by K7 Security Labs. The ISO consisted of 4 files, Windows’ legitimate WerFault.exe, a harmful DLL called faultrep.dll, a shortcut file called recent inventory & our specialties.lnk and an XLS file named File.xls. When the target runs the shortcut file, WerFault.exe from the ISO is executed using scriptrunner.exe LOLBin through the command line.
Faultrep.dll is essentially the name of the DLL used by WerFault.exe and resides in the standard Windows folder. When WerFault.exe is run, it uses the DLL sideloading technique to load Faultrep.dll from the ISO and, like the original DLL, has a dummy exported function WerpInitiateCrashReporting. This malicious Faultrep.dll is compiled in drive C.
When the DLL is successfully loaded, two threads are created. One loads the DLL (“dll_pupyx64.dll”) of the Pupy Remote Admin Tool into memory and the other opens the contained XLS table.
As the infection completes, the attackers gain full access to the target device and they will be able to remotely execute commands, spread in the network, and steal data.