Researchers at cybersecurity firm K7 Security Labs have spotted a malware distribution campaign that used an interesting technique to deploy the Pupy RAT (remote access tool).
The new technique abuses the legitimate Windows Problem Reporting (WerFault.exe) error reporting tool designed to gather information about the hardware and software problems on Windows systems.
The first stage of the campaign involves an email with an ISO attachment. This ISO image contains four files, a legitimate WerFault.exe, a malicious DLL named 'faultrep.dll', a shortcut file named 'recent inventory & our specialties.lnk' and a XLS file named 'File.xls'.
When the victim opens the shortcut file, WerFault.exe is executed and the malicious 'faultrep.dll' DLL contained in the ISO is loaded onto the system.
“Originally, Faultrep.dll is the name of DLL used by WerFault.exe is, which is present in the default windows folder. When WerFault.exe starts executing, it uses DLL Side-Loading technique to load the Faultrep.dll from the ISO and it has a dummy export function WerpInitiateCrashReporting similar to the original DLL. This malicious Faultrep.dll is compiled in C,” the researchers explained.
Once loaded, the malicious DLL will create two threads, one of which will open a lure excel sheet named file.xls, and the other will load Pupy RAT’s DLL ('dll_pupyx64.dll') into memory.
Pupy RAT is an open source remote admin tool available on GitHub. Since 2013, this tool has been used by multiple Iran-linked state-backed hackers like APT33 (Elfin), APT35 (Charming Kitten), and APT34/OilRig. In 2020, Recorded Future's Insikt Group detailed a campaign by APT33, which targeted a key organization in the European energy sector.
The researchers did not identify a hacker group behind this operation, but based on some findings they believe that a China-based threat actor may be involved.
