Hackers use Windows’ error reporting tool for malware deployment

Hackers use Windows Problem Reporting (WerFault.exe), an error reporting tool for Windows, to install malware in compromised systems’ memory via a DLL sideloading method.

This Windows executable can be used to infect stealthily without raising alarms. It launches the malware via a legitimate Windows executable.

spotted the new campaign but could not identify them. However, it is believed that they may be from China. is being misused

An email with an ISO attachment arrives to start the malware campaign. Double-clicking the ISO attachment will create a new drive letter with a legit copy of Windows WerFault.exe, an XLS file, File.xls, and a shortcut (inventory & specialties.lnk).

Files contained in the ISO

Source: K7 Labs

Clicking on the shortcut file will initiate the infection chain. WerFault.exe is executed by scriptrunner.exe.

WerFault, the Windows standard error reporting tool for Windows 10, 11 and 12, allows the system to report and track errors related to operating systems or other applications.

Windows uses the tool to report errors and get potential solutions.

Because WerFault is a Windows executable that Microsoft has signed, antivirus software trusts it. Therefore, launching it onto the system will not usually cause alerts.

WerFault.exe will launch when . This allows it to load the malignant ‘faultrep.dll.dll’ DLL found in the ISO.

Normaly, WerFault runs correctly when the file ‘faultrep.dll” is found in the C:WindowsSystem directory. The malicious DLL version found in ISO has additional code that launches the malware.

Sideloading is the technique where malicious DLLs are created under the same name and loaded.

DLL Sideloading demands that a malicious DLL be found in the exact same directory as its executable. Windows will prioritise the executable over the native DLL when it launches, as long as they have the same name.

This attack will load the DLL in two threads. One that loads the Pupy Remote Access Trojan DLL (‘dll_pupyx64.dll) into memory, and the other that opens the XLS spreadsheet as a decoy.

Complete infection chain

Source: K7 Labs

The PupyRAT, an open-source and malware is written in Python. It supports reflective DLL loading for detection and other modules can be downloaded later.

This malware gives threat actors full access to infected devices. They can execute commands, steal data and install additional malware.

It is an open-source tool and has been such as the Iranian APT33 or APT35, which make persistent operations and attribution harder to track.

QBot malware distributors were observed using a last year, and abusing Windows Calculator in order to avoid detection by security software.