HomeWinBuzzer NewsMicrosoft Windows “Kraken” Attack Discovered by Security Researchers

Microsoft Windows “Kraken” Attack Discovered by Security Researchers

A pair of security researchers have found a Microsoft Windows attack known as Kraken, which targets Windows Error Reporting.


Security researches have this week described a new attack “Kraken” method that targets Windows. Specifically, a new type of fileless attack technique has been observed. It would allow bad actors to manipulate Windows Error Reporting (WER).

Malwarebytes reports its researchers Hossein Jazi and Jérôme Segura discovered the attack method. Hackers would use malware to borrow into WER executables to remain hidden. According to the team, the group behind the exploit has yet to be found.

In a blog post highlighting the attack, the researchers describe the “Kraken” attack was first found in September. However, it is worth noting the techniques used are not new.

Attackers leverage a phishing campaign through a document loaded with a .ZIP file. This “Compensation manual.doc” file is sent to unwitting victims and claim to have information around worker compensation rights.

How It Attacks

If the user opens the attachment, a malware macro will spring into action. Through the macro, a version of the CactusTorch VBA module is installed and sends the fileless attack. Specifically, a binary titled “Kraken.dll” executes through VBScript and embeds into WerFult.exe in Windows.

“That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens,” Malwarebytes says. “When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.”

Attackers can engage in nefarious activity such as forcing Kraken to work across multiple threads, obfuscate code, scan the registry, or find sandboxes. While the pair or researchers could find the attack, they have been unable to attribute it to any hacking group.

Malwarebytes suggests it may come from APT32 because of some similar elements. This is a Vietnam-based threat group that has conducted major attacks in the past.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News