A new fileless attack technique that abuses the Microsoft Windows Error Reporting (WER) service is the work of a hacking group that is yet to be identified. 

According to Malwarebytes security researchers Hossein Jazi and Jérôme Segura, the attack vector relies on malware burying itself in WER-based executables to avoid arousing suspicion.

In a blog post[1] on Tuesday, the duo said the new "Kraken" attack -- albeit not a completely novel technique in itself -- was detected on September 17. 

See also: Researchers track hacking 'fingerprints,' link Russian attackers to Windows exploit sellers[2]

A lure phishing document found by the team was packaged up in a .ZIP file. Titled, "Compensation manual.doc," the file claims to contain information relating to worker compensation rights, but when opened, is able to trigger a malicious macro. 

The macro uses a custom version of the CactusTorch VBA module to spring a fileless attack, made possible through shellcode. 

CactusTorch is able to load a .Net compiled binary called "Kraken.dll" into memory and execute it via VBScript. This payload injects an embedded shellcode into WerFault.exe[3], a process connected to the WER service and used by Microsoft to track and address operating system errors.

"That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens," Malwarebytes says. "When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack."

CNET: Amazon doubles down on Echo home security. What to know[4]

This technique is also used by NetWire[5] Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware[6]

The shellcode is also

Read more from our friends at ZDNet