K7 Security Labs reports that unidentified threat actors are using a DLL sideloading technique to deploy malware into victims' systems after gaining entry through abuse of the Windows Problem Reporting tool, according to BleepingComputer.
The application, WerFault.exe, is found in Windows 10 and 11 as the standard error reporting tool used for tracking and reporting operating system- or application-related errors. Through the tool, Windows can report errors and obtain suggestions for solutions. As a legitimate, Windows-signed executable, the tool is typically designated as a trusted application by antivirus tools, meaning there is usually no alert whenever it is launched on a system.
Threat actors exploit this by sending targets an email with an ISO attachment, which when opened will mount itself as a new drive letter with an authentic WerFault executable, a decoy XLS file, a malicious DLL file, and a shortcut file. Clicking the shortcut file executes WerFault, which, thanks to an existing DLL sideloading flaw, will load the DLL that launches the Pupy Remote Access Trojan malware and the XLS file.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news