Hackers have abused the Windows Problem Reporting (WerFault.exe), a built-in error reporting tool in Microsoft Win10 / Win11, to run malware on the memory of infected devices via DLL side-loading technology.
The hacker first launches the malware through a legitimate Windows executable file, the whole process does not trigger any warnings and thus covertly infects the device. K7 Security Labs security company was the first to discover this attack method.
The malware campaign begins with an email with an ISO attachment. After double-clicking on the ISO file, the user mounts itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (“faultrep.dll”), an XLS file ( “File.xls”) and a shortcut file (‘inventory & our specialties.lnk’).
The victim launched the infection chain by clicking on the shortcut file, which uses “scriptrunner.exe” to execute WerFault.exe. WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors. WerFault is a standard Windows error reporting tool used in Windows 10 and 11 that allows the system to track and report errors related to the operating system or applications.
Anti-virus tools usually trust WerFault because it is a legitimate Windows executable file signed by Microsoft, so launching it on a system will not usually trigger an alert to warn victims.
After launching WerFault.exe, the malware will use a known DLL sideloading flaw to load the malicious ‘failrep.dll’ DLL contained in the ISO.
Normally, the ‘faultrep.dll’ file is a legitimate DLL that Microsoft needs in the C:\Windows\System32 folder for WerFault to run correctly; however, the malicious DLL version in the ISO contains additional code that is used to launch the malware.