Quote:A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is potentially the work of a Vietnamese APT group, researchers said.
 
The attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, according to a blog post on Tuesday by researchers Hossein Jazi and Jérôme Segura. Instead, it leads them to a malicious website that can load malware that hides in WER, they said.
 
“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack, followed by several anti-analysis techniques,” researchers wrote.
 
WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It’s also included in Windows Mobile versions 5.0 and 6.0.
 
The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users wouldn’t likely to suspect any nefarious activity if the service is running, they said.
 
“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi and Segura wrote.