Malwarebytes reports its researchers Hossein Jazi and Jérôme Segura discovered the attack method. Hackers would use malware to borrow into WER executables to remain hidden. According to the team, the group behind the exploit has yet to be found. In a blog post highlighting the attack, the researchers describe the “Kraken” attack was first found in September. However, it is worth noting the techniques used are not new. Attackers leverage a phishing campaign through a document loaded with a .ZIP file. This “Compensation manual.doc” file is sent to unwitting victims and claim to have information around worker compensation rights.
How It Attacks
If the user opens the attachment, a malware macro will spring into action. Through the macro, a version of the CactusTorch VBA module is installed and sends the fileless attack. Specifically, a binary titled “Kraken.dll” executes through VBScript and embeds into WerFult.exe in Windows. “That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens,” Malwarebytes says. “When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.” Attackers can engage in nefarious activity such as forcing Kraken to work across multiple threads, obfuscate code, scan the registry, or find sandboxes. While the pair or researchers could find the attack, they have been unable to attribute it to any hacking group. Malwarebytes suggests it may come from APT32 because of some similar elements. This is a Vietnam-based threat group that has conducted major attacks in the past.