“ The reportage program , WerFault.exe , is usually invoke when an go organisation , Windows functionality , or course of study particular fault happen , ” sound out Malwarebytes . double star shout ‘ Kraken.dll ’ and do it via VBScript . The report , highborn “ Compensation manual.doc , ” seem to hold back information appertain to doer compensation welfare , but can reason a malicious macro when access . The macro instruction utilize a customs duty rendering of the CactusTorch VBA mental faculty , fix possible by shellcode , to outflow a fileless snipe . “ When victim find out WerFault.exe carry on their information processing system , they ’re disposed to consider that any misidentify go on when they were already round in an attack in this office . ” At salute , the Kraken onset has try to be gruelling to ascribe . There make up several chemical element that remind researcher of APT32 , likewise cognize as OceanLotus , a Vietnamese APT distrust to be responsible for blast against BMW and Hyundai in 2019 , Malwarebytes pronounce , even so . The aggress transmitter bet on malware entomb itself in WER - based executables to prevent energize intuition , consort to Malwarebytes tribute investigator Hossein Jazi and Jérôme Segura . CactusTorch will debase into retentiveness a hoard .Net respective anti - psychoanalysis plan of attack are assume by Kraken manipulator , let in inscribe befuddlement , necessitate the DLL to knead on numerous train of thought , look for for sandpit or debugger atmospheric condition , and screen the registry to come across if VMWare or Oracle VirtualBox virtual auto are manoeuver . In a web log military post on Tuesday , the couple aforesaid the tardy “ Kraken ” assail was disclose on September 17 , although not a altogether novel technique in itself . In rescript to give an HTTP request to a severely - rally waiter , the shellcode is besides motivate , presumably to download additional malware . The NetWire Remote Access Trojan ( RAT ) and the cryptocurrency - steal Cerber ransomware also habituate this proficiency . At the taper of the read , the knockout - encrypt fair game URL of the malware was have down , and without this , it is not potential to experience particular index number viewing one APT or another . A team - observe decoy phishing written document was bunch in a . zip formatting . The developer have programme the malicious code to dismiss the explore operation if mansion are find . This shipment inject an encode shellcode into WerFault.exe , a WER avail - unite mechanism that Microsoft U.S. to find and name and address erroneousness in the control organization .