Malwarebytes’s Threat Intelligence team has uncovered a new attack dubbed “Kraken”, which is attributed to APT32.
The attacker abused the Windows Error Reporting process by injecting malicious shellcode into a new instance of WerFault.exe (Windows Error Reporting binary name), thus subverting its behavior while assuming the identity of a legitimate windows binary.
In the image below, you can see how Minerva Labs blocks the “Kraken” attack with our Memory Injection Prevention module, preventing the initial infection.{{cta(‘4c3fa997-e205-4f57-ab3a-2e6dec7a35e6′,’justifycenter’)}}
As an additional layer of defense, Minerva Labs’ Hostile Environment Simulation will block the late stage shellcode by tricking it into believing it is executing in a virtual machine.
The full details of the attack can be found here.
If you’ve been the victim of a Kraken attack, or would like to talk to Minvera Lab’s about upgrading your protection, please contact us.