The Kraken Attack Technique Abuses WER to Avoid Detection


The work of a hacker community that has yet to be known is a new fileless attack strategy that exploits the Microsoft Windows Error Reporting (WER) programme.

The attack vector depends on malware burying itself in WER-based executables to prevent arousing suspicion, according to Malwarebytes protection researchers Hossein Jazi and Jérôme Segura.

In a blog post on Tuesday, the pair said the latest “Kraken” attack was discovered on September 17, although not a totally novel technique in itself.

A team-discovered lure phishing document was bundled in a . ZIP format. The paper, titled “Compensation manual.doc,” appears to contain information pertaining to worker compensation benefits, but can cause a malicious macro when accessed.

The macro uses a custom version of the CactusTorch VBA module, made possible by shellcode, to spring a fileless attack.

CactusTorch will load into memory a compiled .Net binary called ‘Kraken.dll’ and execute it via VBScript. This payload injects an encoded shellcode into WerFault.exe, a WER service-connected mechanism that Microsoft uses to detect and address errors in the operating system.

“The reporting programme, WerFault.exe, is normally invoked when an operating system, Windows functionality, or programme specific error occurs,” says Malwarebytes. “When victims see WerFault.exe running on their computer, they’re apt to believe that any mistake occurred when they were already attacked in an assault in this situation.”

The NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware also use this technique.

In order to render an HTTP request to a hard-coded server, the shellcode is also prompted, presumably to download additional malware.

Several anti-analysis approaches are adopted by Kraken operators, including code obfuscation, requiring the DLL to work on numerous threads, searching for sandbox or debugger conditions, and testing the registry to see if VMWare or Oracle VirtualBox virtual machines are operating. The developers have programmed the malicious code to terminate the research operations if signs are detected.

At present, the Kraken attack has proved to be hard to attribute. At the point of the study, the hard-coded target URL of the malware was taken down, and without this, it is not possible to have specific indicators showing one APT or another.

There are several elements that remind researchers of APT32, also known as OceanLotus, a Vietnamese APT suspected to be responsible for attacks against BMW and Hyundai in 2019, Malwarebytes says, however.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.