Hackers abuse the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into the memory of a compromised system using a DLL sideloading technique.

The use of this Windows executable is to stealthily infect devices without triggering an alarm on the hacked system by launching the malware through a legitimate Windows executable.

The new campaign was spotted by K7 Safety Laboratorieswho could not identify the hackers, but they are believed to be based in China.

Abuse of WerFault.exe

The malware campaign begins with the arrival of an email with an ISO attachment. When double-clicked, the ISO mounts as a new drive letter containing a legitimate copy of the Windows executable WerFault.exe, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls ‘) and a shortcut file (‘inventory & our specialties.lnk’).

The victim starts the infection chain by clicking on the shortcut file, which uses ‘scriptrunner.exe’ to run WerFault.exe.

WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or applications.

Windows uses the tool to report an error and receive recommendations for potential solutions.

Antivirus tools generally trust WerFault because it is a legitimate Windows executable signed by Microsoft. Therefore, launching it on the system usually does not trigger any alerts to warn the victim.

When WerFault.exe is launched, it will use a known DLL sideloading flaw to load the malicious ‘faultrep.dll’ DLL contained in the ISO.

Normally, the ‘faultrep.dll’ file is a legitimate Microsoft DLL in the C:\Windows\System folder needed for WerFault to work properly. However, the malicious DLL version in the ISO contains additional code to launch the malware.

The technique of creating malicious DLLs with the same name as a legitimate DLL so that it is loaded instead is called DLL sideloading.

DLL sideloading requires that a malicious version of a DLL be located in the same directory as the executable that invokes it. When the executable is launched, Windows gives it priority over its native DLL as long as it has the same name.

When the DLL is loaded in this attack, it creates two threads, one that loads the Pupy Remote Access Trojan DLL (“dll_pupyx64.dll”) into memory and another that opens the spreadsheet XLS included to serve as a lure.

Pupy RAT is an open-source and publicly available malware written in Python that supports reflexive DLL loading to evade detection, and additional modules are downloaded later.

The malware gives hackers full access to infected devices, allowing them to execute commands, steal data, install other malware, or spread laterally through a network.

As an open source tool, it has been used by several state-backed spy actors such as the Iranian groups APT33 and APT35, as these tools make attribution and persistent operation harder to track.

QBot malware distributors have been seen adopting a similar attack chain last summer, abusing the Windows calculator to evade detection by security software.