Malwarebytes’s Threat Intelligence team has uncovered a new attack dubbed “Kraken”, which is attributed to APT32.
The attacker abused the Windows Error Reporting process by injecting malicious shellcode into a new instance of WerFault.exe (Windows Error Reporting binary name), thus subverting its behavior while assuming the identity of a legitimate windows binary.
In the image below, you can see how Minerva Labs blocks the “Kraken” attack with our Memory Injection Prevention module, preventing the initial infection.
As an additional layer of defense, Minerva Labs' Hostile Environment Simulation will block the late stage shellcode by tricking it into believing it is executing in a virtual machine.
The full details of the attack can be found here.
If you've been the victim of a Kraken attack, or would like to talk to Minvera Lab's about upgrading your protection, please contact us.