Hackers are using one of Microsoft’s own tools to spread malware – what you need to know

A Windows 11 laptop on a desk
(Image credit: Wachiwit / Shutterstock)

Hackers have come up with a clever new way to abuse one of Microsoft’s own tools to spread malware to compromised Windows PCs.

As reported by BleepingComputer, security researchers at K7 Security Labs have discovered a new campaign in which hackers are leveraging the software giant’s built-in error reporting tool Windows Problem Reporting (WerFault.exe) to spread the Pupy RAT malware.

What makes this campaign particularly dangerous is the fact that it is able to bypass security software since it uses a tool that ships with both Windows 10 and Windows 11. No alarms are raised which means it isn’t detected by Microsoft Defender or other antivirus software.

Although K7 Security Labs couldn’t identify the hackers responsible, they’re believed to be based in China. 


Reader Offer: Save 68% on Aura identity theft protection

<a href="https://aurainc.sjv.io/c/221109/1664099/12398?subId1=hawk-custom-tracking" data-link-merchant="aurainc.sjv.io"">Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can <a href="https://aurainc.sjv.io/c/221109/1664099/12398?subId1=hawk-custom-tracking" data-link-merchant="aurainc.sjv.io"" data-link-merchant="aurainc.sjv.io"">save up to 68% when they sign up.

Preferred partner (<a href="https://www.tomsguide.com/reference/about-us#section-affiliate-advertising-disclosure" data-link-merchant="tomsguide.com"" data-link-merchant="aurainc.sjv.io"" data-link-merchant="aurainc.sjv.io"">What does this mean?)

DLL sideloading

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

This new malware campaign is being spread through ISO images attached to emails but researchers at K7 Security Labs also explained in a blog post that they found a malicious ISO image named “recent inventory & our specialities.iso” in a feed on Twitter.

Regardless of how the ISO ends up on a potential victim’s Windows machine, when clicked, it mounts itself as a new drive letter that contains a legitimate copy of Microsoft’s WerFault.exe along with a DLL file (faultrep.dll), an XLS file (File.xls) and a shortcut file (inventory & our specialties.lnk).

Clicking on the shortcut file starts the infection chain and “scriptrunner.exe” is then used to execute Microsoft’s Windows Problem Reporting tool. When this occurs, the hackers exploit a known DLL sideloading flaw to load the malicious dynamic link library (DLL) file inside the ISO.

While ‘faultrep.dll’ is a legitimate DLL file normally used by WerFault.exe, this process replaces it with a malicious version of the file used to launch the Pupy RAT malware. However, the malicious DLL file needs to be in the same location as the executable – in this case WerFault.exe – for Windows to prioritize it over the original. It also has to have the exact same name.

At this point, the Pupy RAT malware is loaded into memory on a compromised machine while an XLS spreadsheet is opened to distract the victim and make them think nothing is amiss. However, the Pupy RAT malware can now execute commands, steal data, spread laterally to other computers through a network or even install additional malware.

How to protect your Windows devices from malware

Antivirus software on a PC

(Image credit: Shutterstock)

When it comes to staying safe from the Pupy RAT malware spread in this campaign, you want to avoid downloading ISO images online – whether they’re posted on social media or sent to you as an email attachment. This holds true for other malware as any file you download could infect your Windows PC.

Even though it wouldn’t work in this case, you should install one of the best antivirus software solutions on your computer to help keep it protected from malware. At the same time, you also want to make sure that Windows Defender is enabled as it also provides malware protection.

The easiest way to stay safe from malware is to exercise caution online. Don’t click on links in emails or messages from unknown senders and be extremely careful about the types of files you download and where you download them from.

We’ll likely hear more about this campaign once the hackers responsible have been properly identified and Microsoft may also step in with a way to prevent one of its own tools from being used to spread malware to Windows PCs.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • Flibbetygibbet
    I believe this has just happened to me with MOSAID - some component within this tool, fiddler or something that it said didn't have a certificate so I said no don't install it, then I couldn't open any browser tabs without messages that they were no longer secure. the folder in which the .zip and app files was placed is now no longer visible so I can't even delete the contents of that (although of course, that doesn't necessarily address the problem). How can MS tech support direct customers to software that isn't confirmed clean? What do I do about it (as it's not detectable, how do I find it and remove it - safely - without ending up with another tool that has embedded malware in it?!)?
    Reply
  • Fox Tread3
    Flibbetygibbet said:
    I believe this has just happened to me with MOSAID - some component within this tool, fiddler or something that it said didn't have a certificate so I said no don't install it, then I couldn't open any browser tabs without messages that they were no longer secure. the folder in which the .zip and app files was placed is now no longer visible so I can't even delete the contents of that (although of course, that doesn't necessarily address the problem). How can MS tech support direct customers to software that isn't confirmed clean? What do I do about it (as it's not detectable, how do I find it and remove it - safely - without ending up with another tool that has embedded malware in it?!)?
    Hi, sorry to hear about your problem. I think there are two possible solutions, though I don't claim to be an expert by any means. First, which is the easiest, and doesn't cost anything, is to do a clean reinstall of Windows. Hopefully you still have the media that you use to install Windows initially. If not, you may be able to to download your Windows version directly from Microsoft only, and provide your subscription code when it is requested. The other and obviously expensive option is to take your machine into a reputable computer repair shop. A number of things to take into consideration is that whatever Malware you have on your computer may be in the essential files and programs required to run Windows, like the kernel. If you are unfamiliar with what the Kernel is, I suggest you do a Google search for it. Lastly, I suggest your consider that if you have external hard drives, and/or SSDs connected to your computer, they may be infected also. Please be aware that Malware has gotten so sophisticated that it can be so well embedded that even well known anti-malware cleaners like Malwarebytes can't detect and remove them. I hope I have been of some help, and wish you the best of luck. 👍😊
    Reply
  • Flibbetygibbet
    Thank you Fox Tread3, very much appreciated.

    Will see what I can sort out. Such an utter pain.
    Reply
  • Fox Tread3
    Hi. I'm sorry I couldn't be of more assistance. I thought it would be nice if at least one person addressed your problem. I got a Trojan on my network, and because I had external drives with sensitive information on them. The hackers were able to do more damage, since they could see what I was doing on my computers. I got the Trojan while making a purchase from a website that had been compromised. Which is becoming more frequent since so many employees are working from home over unsecure networks. Fortunately, I was able to use a none infected computer to carry on, while my two full tower computers plus my six external drives went for a "cleaning" at to different repair shops to be on the safe side. I would recommend that until you get things sorted out. That you consider getting a cheap Chromebook for around USD $200.00. Some top brand models are on sale now. Chromebooks are very secure because nothing can be downloaded and kept on them without your knowledge. Great for banking etc. You do have to have a Google account or get one, which of course is free. However, out of the box you can use the Chromebook to get online using the "guest" mode. That may be a good option until you are sure that your computer is malware free. Best of luck.. and as we Trekees say.. "Live long and prosper!🖖"🤓😉
    Reply
  • Flibbetygibbet
    Oh no you've been really helpful, don't worry.
    Reply
  • Fox Tread3
    Very cool. 👍👍 Stay well, and cheers from Connecticut, U.S.A.😉
    Reply