Hackers are using one of Microsoft’s own tools to spread malware – what you need to know

A Windows 11 laptop on a desk
(Image credit: Wachiwit / Shutterstock)

Hackers have come up with a clever new way to abuse one of Microsoft’s own tools to spread malware to compromised Windows PCs.

As reported by BleepingComputer, security researchers at K7 Security Labs have discovered a new campaign in which hackers are leveraging the software giant’s built-in error reporting tool Windows Problem Reporting (WerFault.exe) to spread the Pupy RAT malware.

What makes this campaign particularly dangerous is the fact that it is able to bypass security software since it uses a tool that ships with both Windows 10 and Windows 11. No alarms are raised which means it isn’t detected by Microsoft Defender or other antivirus software.

Although K7 Security Labs couldn’t identify the hackers responsible, they’re believed to be based in China. 

DLL sideloading

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

This new malware campaign is being spread through ISO images attached to emails but researchers at K7 Security Labs also explained in a blog post that they found a malicious ISO image named “recent inventory & our specialities.iso” in a feed on Twitter.

Regardless of how the ISO ends up on a potential victim’s Windows machine, when clicked, it mounts itself as a new drive letter that contains a legitimate copy of Microsoft’s WerFault.exe along with a DLL file (faultrep.dll), an XLS file (File.xls) and a shortcut file (inventory & our specialties.lnk).

Clicking on the shortcut file starts the infection chain and “scriptrunner.exe” is then used to execute Microsoft’s Windows Problem Reporting tool. When this occurs, the hackers exploit a known DLL sideloading flaw to load the malicious dynamic link library (DLL) file inside the ISO.

While ‘faultrep.dll’ is a legitimate DLL file normally used by WerFault.exe, this process replaces it with a malicious version of the file used to launch the Pupy RAT malware. However, the malicious DLL file needs to be in the same location as the executable – in this case WerFault.exe – for Windows to prioritize it over the original. It also has to have the exact same name.

At this point, the Pupy RAT malware is loaded into memory on a compromised machine while an XLS spreadsheet is opened to distract the victim and make them think nothing is amiss. However, the Pupy RAT malware can now execute commands, steal data, spread laterally to other computers through a network or even install additional malware.

How to protect your Windows devices from malware

Antivirus software on a PC

(Image credit: Shutterstock)

When it comes to staying safe from the Pupy RAT malware spread in this campaign, you want to avoid downloading ISO images online – whether they’re posted on social media or sent to you as an email attachment. This holds true for other malware as any file you download could infect your Windows PC.

Even though it wouldn’t work in this case, you should install one of the best antivirus software solutions on your computer to help keep it protected from malware. At the same time, you also want to make sure that Windows Defender is enabled as it also provides malware protection.

The easiest way to stay safe from malware is to exercise caution online. Don’t click on links in emails or messages from unknown senders and be extremely careful about the types of files you download and where you download them from.

We’ll likely hear more about this campaign once the hackers responsible have been properly identified and Microsoft may also step in with a way to prevent one of its own tools from being used to spread malware to Windows PCs.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.