Kraken Attack Utilizes WER to Evade Detection

Summary

Researchers from Malwarebytes Labs discovered a new cyber-attack, dubbed Kraken, which utilizes Windows Error Reporting (WER) to evade detection. The Kraken payload is injected into the WER service WerFault.exe – a service that typically runs when there is an error related to a device’s operating system, feature, or application. The initial attack vector used in these campaigns is a phishing email with a ZIP file attachment containing a malicious Word document. If macros are enabled, a VBScript (VBA) module executes and a .NET binary loads to memory. The .NET payload is a kraken.dll loader, which injects an embedded shellcode into WerFault.exe . The researchers believe that a known advanced persistent threat (APT) group is responsible for the Kraken activity.

Recommendations

The NJCCIC recommends refraining from clicking links or opening attachments in emails received from unknown senders and exercising caution with emails received from known senders. Additionally, avoid enabling macros in documents unless there is a known use for this feature. More information on this technique and indicators of compromise can be found in the Malwarebytes Labs blog post.