Shulou(Shulou.com)11/24 Report--

CTOnews.com, January 5, hackers abused Windows Problem Reporting (WerFault.exe), an error reporting tool built into Microsoft's Win10 / Win11 system, to run malware on the memory of an infected device through DLL side loading technology.

The hacker first launches the malware through a legitimate Windows executable file, and the whole process does not trigger any warnings, thus covertly infecting the device. K7 Security Labs Security Company was the first to discover this kind of attack.

Malware activity begins with an email with an ISO attachment. After the user double-clicks the ISO file, he mounts himself as a new drive letter containing a legal copy of the Windows WerFault.exe executable file, a DLL file ("faultrep.dll"), a XLS file ("File.xls"), and a shortcut file ('inventory & our specialties.lnk').

CTOnews.com learned that the victim started the infection chain by clicking on the shortcut file, which uses "scriptrunner.exe" to execute WerFault.exe. WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or application.

Antivirus tools usually trust WerFault because it is a legitimate Windows executable signed by Microsoft, so starting it on the system usually does not trigger an alarm to warn the victim.

When WerFault.exe is started, the malware will use the known DLL side load flaw to load the malicious "faultrep.dll" DLL contained in ISO.

Typically, the 'faultrep.dll' file is the legal DLL that Microsoft needs for WerFault to run correctly in the C:\ Windows\ System32 folder. However, the malicious DLL version in ISO contains additional code to start the malware.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.