Hackers exploited the Windows tool to distribute the Pupy RAT

January 17, 2023
Hackers Exploit Windows Tool PupyRAT Malware

Threat actors have found a way to exploit an error reporting tool on Windows to spread the Pupy RAT. Based on reports, the OS’ Windows Problem Reporting feature is used by the Pupy RAT operators to deliver malware on a targeted system.

This attack has enabled hackers to infect targeted devices without raising suspicions or getting detected by security solutions.

The researchers explained that the hackers are allegedly from China and use the WerFault[.]exe. These actors could deploy a remote access trojan during this campaign.

According to investigations, the attack target receives an email with an ISO file that mounts that targeted device as a new drive after execution. Subsequently, the mounted drive loads a genuine copy of the WerFault[.]exe file, additional files, a shortcut lnk file inventory, and a malicious DLL called faultrep[.]dll.

 

The Pupy RAT operators use WerFault as its primary vector for distribution.

 

Pupy RAT operator’s exploitation of the Windows reporting system could be utilised as a standard tool to report and explore possible recommendations for Windows 10 and 11.

Launching this feature does not trigger any red flags on the targeted device since Microsoft signs the executable. Hence, the infection chain could start if a user clicks on the shortcut file, which also deploys the WerFault[.]exe from the ISO while utilising the compromised DLL file.

The DLL archive then creates a couple of threads. The first threat is loading the Pupy RAT’s DLL, and the other is opening a decoy XLS spreadsheet to create a diversion and distract the target.

Subsequently, the remote access trojan will attempt to communicate with its command-and-control server in the background while the target stays in the spoofed WerFault.

Pupy RAT could provide its operator with various abilities on the infected device, such as command execution, data harvesting, and installation of additional malware strains.

The exploit of ISP files and misuse of genuine Windows Tools to deploy malware shows that the threat actors know the loopholes that could bypass security. Experts urge users to strengthen their endpoint security and implement defence mechanisms to detect and avoid malicious threat campaigns.

About the author

Leave a Reply