Release the Kraken: Fileless APT attack abuses Windows Error Reporting service – Malwarebytes Labs

We found a brand new assault that injected its payload—dubbed “Kraken—into the Home windows Error Reporting (WER) service as a protection evasion mechanism.

This weblog put up was authored by Hossein Jazi and Jérôme Segura.

On September 17th, we found a brand new assault referred to as Kraken that injected its payload into the Home windows Error Reporting (WER) service as a protection evasion mechanism.

That reporting service, WerFault.exe, is normally invoked when an error associated to the working system, Home windows options, or functions occurs. When victims see WerFault.exe operating on their machine, they most likely assume that some error occurred, whereas on this case they’ve truly been focused in an assault.

Whereas this method will not be new, this marketing campaign is probably going the work of an APT group that had earlier used a phishing assault engaging victims with a employee’s compensation declare. The risk actors compromised an internet site to host its payload after which used the CactusTorch framework to carry out a fileless assault adopted by a number of anti-analysis strategies.

On the time of writing, we couldn’t make a transparent attribution to who’s behind this assault, though some components remind us of the Vietnamese APT32 group.

Malicious lure: ‘your proper to compensation’

On September 17, we discovered a brand new assault ranging from a zipper file containing a malicious doc almost definitely distributed by spear phishing assaults.

The doc “Compensation guide.doc” pretends to incorporate details about compensation rights for staff:

Determine 1: Malicious Doc

The file comprises a picture tag (“INCLDEPICTURE“) that connects to “yourrighttocompensation[.]com” and downloads a picture that would be the doc template.

Determine 2: Imagetag embedded throughout the docDetermine 3: yourrighttocompensation web site

This area was registered on 2020-06-05 whereas the doc creation time is 2020-06-12, which doubtless signifies that they’re a part of the identical assault.

Inside, we see a malicious macro that makes use of a modified model of CactusTorch VBA module to execute its shellcode. CactusTorch is leveraging the DotNetToJscript method to load a .Web compiled binary into reminiscence and execute it from vbscript.

The next determine reveals the macro content material utilized by this risk actor. It has each AutoOpen and AutoClose capabilities. AutoOpen simply reveals an error message whereas AutoClose is the operate that performs the principle exercise.

Determine 4: Macro

As you may see in Determine 4, a serialized object in hex format has been outlined which comprises a .Web payload that’s being loaded into reminiscence. Then, the macro outlined an entry class with “Kraken.Kraken” as worth. This worth has two components which have been separated with a dot: the title of the .Web Loader and its goal class title.

Within the subsequent step, it creates a serialization BinaryFormatter object and makes use of the deseralize operate of BinaryFormatter to deserialize the thing. Lastly, by calling DynamicInvoke the .Web payload can be loaded and executed from reminiscence.

In contrast to CactusTorch VBA that specifies the goal course of to inject the payload into it throughout the macro, this actor modified the macro and specified the goal course of throughout the .Web payload.

Kraken Loader

The loaded payload is a .Web DLL with “Kraken.dll” as its inner title, compiled on 2020-06-12.

This DLL is a loader that injects an embedded shellcode into WerFault.exe. To be clear, this isn’t the primary case of such a method. It was noticed earlier than with the NetWire RAT and even the Cerber ransomware.

The loader has two principal lessons: “Kraken” and “Loader“.

Determine 5: Kraken.dll

The Kraken class comprises the shellcode that can be injected into the goal course of outlined on this class as “WerFault.exe“. It solely has one operate that calls the Load operate of Loader class with shellcode and goal course of as parameters.

Determine 6: Kraken class

The Loader class is accountable for injecting shellcode into the goal course of by making Home windows API calls.

Determine 7: Load operate

These are the steps it makes use of to carry out its course of injection:

  • StartProcess operate calls CreateProcess Home windows API with 800000C as dwCreateFlags.
  • FindEntry calls ZwQueryInformationProcess to find the bottom handle of the goal course of.
  • CreateSection invokes the ZwCreateSection API to create a piece throughout the goal course of.
  • ZwMapViewOfSection known as to bind the part to the goal course of to be able to copy the shellcode in by invoking CopyShellcode.
  • MapAndStart finishes the method injection by calling WriteProcessMemory and ResumeThread.

ShellCode Evaluation

Utilizing HollowHunter we dumped the shell code injected into WerFault.exe for additional evaluation. This DLL performs its malicious actions in a number of threads to make its evaluation tougher.

This DLL is executed by calling the “DllEntryPoint” that invokes the “Essential” operate.

Determine 8: Essential Course of

The principle operate calls DllMain which creates a thread to carry out its capabilities in a brand new thread throughout the context of the identical course of.

Figrue 9: Dll principal

The created thread at first performs some anti-analysis checks to verify it’s not operating in an evaluation/sandbox setting or in a debugger.

It does this by the next actions:

1) Checks existence of a debugger by calling GetTickCount:

GetTickCount is a timing operate that’s used to measure the time wanted to execute some instruction units. On this thread, it’s being referred to as two occasions earlier than and after a Sleep instruction after which the distinction is being calculated. If it’s not equal to 2 this system exits, because it identifies it’s being debugged.

Determine 10: Created thread

2) VM detection:

On this operate, it checks whether it is operating in VmWare or VirtualBox by extracting the supplier title of the show driver registry key (`SYSTEM\ControlSet001\Management\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000′) after which checking if it comprises the strings VMware or Oracle.

Determine 11: VM detection

3) IsProcessorFeaturePresent:

This API name has been used to find out whether or not the required processor function is supported or not. As you see from the under image, “0x17” has been handed to this API as a parameter which suggests it checks __fastfail assist earlier than continuing with instant termination.

Determine 12: InProcessorFeaturePresent

4) NtGlobalFlag:

The shell code checks NtGlobalFlag in PEB construction to determine whether or not it’s being debugged or not. To determine the debugger it compares the NtGlobalFlag worth with 0x70.

5) IsDebuggerPresent:

This checks for the presence of a debugger by calling “IsDebuggerPresent“.

Determine 13: NtGlobalFlag and IsDebuggerPresent test

After performing all these anti-analysis checks, it goes right into a operate to create its ultimate shellcode in a brand new thread. The import calls used on this half are obfuscated and resolved dynamically by invoking the “Resolve_Imports” operate.

This operate will get the handle of “kernel32.dll” utilizing LoadLibraryEx after which in a loop retrieves 12 imports.

Determine 14: Resolve_Imports

Utilizing the libpeconv library we’re capable of get the record of resolved API calls. Right here is the record of imports, and we will count on it’ll carry out some course of injection.


After resolving the required API calls it creates a reminiscence area utilizing VirtualAlloc after which calls “DecryptContent_And_WriteToAllocatedMemory” to decrypt the content material of the ultimate shell code and write them into created reminiscence.

Within the subsequent step, VirtualProtect known as to alter the safety to the allotted reminiscence to make it executable. Lastly, CreateThread has been referred to as to execute the ultimate shellcode in a brand new thread.

Determine 15: Resolve Imports and Create new thread

Ultimate Shell code

The ultimate shellcode is a set of directions that make an HTTP request to a hard-coded area to obtain a malicious payload and inject it right into a course of.

As first step it hundreds the Wininet API by calling LoadLibraryA:

Determine 16: Masses Wininet

Then it builds the record of operate calls which can be required to make the HTTP request which incorporates: InternetOpenA, InternetConnectA, InternetOpenRequestA and InternetSetOptionsExA.

Determine 17: HttpOpenRequestA

After making ready the necessities for constructing HTTP request, it creates a HTTP request and sends it by calling HttpSendrequestExA. The requested URL is:[.]web/favicon32.ico

Determine 18: HttpSendRequestExA

Within the subsequent step, it checks if the HTTP request is profitable or not. If the HTTP request will not be profitable it calls ExitProcess to cease its course of.

Determine 19: Checking the http request success

If the return worth of HTTPSendRequestExA is true, it means the request is profitable and the code proceeds to the following step. On this step it calls VirtualAllocExA to allocate a reminiscence area after which calls InternetReadFile to learn the information and write it to the allotted reminiscence.

Determine 20: InternetReadFile name

On the finish it jumps to the beginning of the allotted reminiscence to execute it. That is extremely prone to be one other shellcode that’s hosted on the compromised “asia-kotoba.web” website and planted as a faux favicon in there.

Since on the time of the report the goal URL was down, we weren’t capable of retrieve this shellcode for additional evaluation.

The work of an APT, however which one?

We don’t have sufficient proof to attribute this assault. Nonetheless, we have now discovered some unfastened connections to APT32 and are nonetheless investigating them:

  • APT32 is without doubt one of the actors that’s recognized to make use of CactusTorch HTA to drop variants of the Denis Rat. Nonetheless, since we weren’t capable of get the ultimate payload we can not undoubtedly attribute this assault to APT32.
  • The area used to host malicious archives and paperwork is registered in Ho chi minh metropolis, Vietnam. APT32 has used strategic internet compromises to focus on victims and is believed to be Vietnam-based.

Malwarebytes blocks entry to the compromised website internet hosting the payload:

Determine 21: Lure doc trying to contact distant website


Lure doc: 31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942

Archive file containing lure doc:

Doc template picture:

Archive file obtain URLs:

Obtain URL for ultimate payload:

You May Also Like