Cybercriminals Abuse Built-in Services to Target Windows

Cybercriminals are now abusing inbuilt legitimate services of Windows to perform fileless attacks. Researchers reveal they use spear-phishing emails to spread a zip file containing a malicious document.

The process

A new attack dubbed Kraken was identified abusing Windows Error Reporting (WER) service as an evasion mechanism.
  • The attackers target Windows internal service WerFault[.]exe, which is used to report an error that occurs in the Windows OS. 
  • They first compromise a website to host their payload and use the CactusTorch framework to execute a fileless attack accompanied by multiple tricks.
  • After passing the anti-analysis checks, it loads the final shellcode and creates a new WER thread. The shellcode is hosted on the compromised asia-kotoba[.]net site, where it is planted as a fake favicon.
  • The attack could not be attributed to any known threat group as there is not enough evidence. However, researchers claim that APT32 previously used some elements used in this attack.

Recent attacks

It is not the first incident where cybercriminals abused the legitimate service of Windows OS to perform malicious actions. 
  • Last month, researchers discovered that the Microsoft Windows TCPIP Finger command could be used or exploited to function as a file downloader.
  • In August, Wastedlocker ransomware was seen abusing the internal working procedure of windows cache memory to bypass behavior-based anti-malware tools.

Conclusion

Cybercriminals are getting better at finding new attack techniques to exploit legitimate services, such as WER. Experts suggest users must regularly update anti-malware solutions, update Windows, and deploy a malicious behavior monitoring mechanism.