Threat Actors Using WerFault.exe to Deploy Pupy RAT

Threat Level

Attack Report

For a detailed threat advisory, download the pdf file here

Summary

The Pupy RAT malware is using a technique called DLL side-loading to disguise itself as the legitimate WerFault.exe process in order to evade detection. The malware is delivered via an ISO image that contains a malicious DLL file, a shortcut file, and an Excel file. When the shortcut file is opened, it runs the WerFault.exe process, which then uses the DLL side-loading technique to load and execute the malicious DLL.