Malware, Threat Management

New malware campaign exploits Windows error reporting tool

K7 Security Labs reports that unidentified threat actors are using a DLL sideloading technique to deploy malware into victims' systems after gaining entry through abuse of the Windows Problem Reporting tool, according to BleepingComputer. The application, WerFault.exe, is found in Windows 10 and 11 as the standard error reporting tool used for tracking and reporting operating system- or application-related errors. Through the tool, Windows can report errors and obtain suggestions for solutions. As a legitimate, Windows-signed executable, the tool is typically designated as a trusted application by antivirus tools, meaning there is usually no alert whenever it is launched on a system. Threat actors exploit this by sending targets an email with an ISO attachment, which when opened will mount itself as a new drive letter with an authentic WerFault executable, a decoy XLS file, a malicious DLL file, and a shortcut file. Clicking the shortcut file executes WerFault, which, thanks to an existing DLL sideloading flaw, will load the DLL that launches the Pupy Remote Access Trojan malware and the XLS file.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.