Image

Image

WerFault.exe is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened while in this case they have actually been targeted in an attack.The injected shellcode created a DLL that executed its malicious activity in multiple threads in order to evade detection. More than that, the DLL also performed several anti-analysis routines such as checking for the existence of a debugger and looking to see if it was running in VmWare or VirtualBox. Assuming those checks came back negative, the loader created its final shellcode in a new thread. This shellcode, in turn, used an HTTP request to connect to a hard-coded domain, download a malicious payload and inject it into a process. The security firm reasoned that this payload was another shellcode hosted on a compromised website. Even so, the URL was down at the time of analysis, so it couldn't investigate further. Malwarebytes explained that APT32 might have been behind this campaign given the fact that it's observed the threat actor use CactusTorch HTA to drop the Denis Rat in the past.