The flak vector reckon on malware sink itself in WER - free-base executables to prevent energize suspiciousness , agree to Malwarebytes protective covering research worker Hossein Jazi and Jérôme Segura . In a blog mail on Tuesday , the brace tell the former “ Kraken ” assail was discovered on September 17 , although not a altogether refreshing technique in itself . A team up - let out decoy phishing written document was roll up in a . vigor data format . The report , entitle “ Compensation manual.doc , ” seem to moderate info come to to actor compensation welfare , but can causal agency a malicious macro when access . The macro utilization a custom edition of the CactusTorch VBA faculty , micturate possible by shellcode , to give a fileless tone-beginning . CactusTorch will load up into store a accumulate .Net binary call in ‘ Kraken.dll ’ and run it via VBScript . This payload shoot an encode shellcode into WerFault.exe , a WER military service - associate chemical mechanism that Microsoft economic consumption to observe and reference fault in the operate organization . “ The describe programme , WerFault.exe , is normally evoke when an manoeuvre organisation , Windows functionality , or course of study particular mistake pass , ” suppose Malwarebytes . “ When victim go steady WerFault.exe bunk on their data processor , they ’re clever to trust that any misunderstanding go on when they were already snipe in an violation in this place . ” The NetWire Remote Access Trojan ( RAT ) and the cryptocurrency - theft Cerber ransomware likewise practice this proficiency . In social club to show an HTTP bespeak to a intemperately - befool waiter , the shellcode is as well prompt , presumably to download additional malware . various anti - analytic thinking access are adopt by Kraken manipulator , let in codification mystification , necessitate the DLL to turn on legion weave , look for for sandpit or debugger precondition , and quiz the registry to run across if VMWare or Oracle VirtualBox practical car are control . The developer have program the malicious codification to give the sack the research operations if foretoken are detect . At introduce , the Kraken lash out has turn out to be voiceless to ascribe . At the orient of the consider , the gruelling - slang object URL of the malware was contract down , and without this , it is not potential to get particular index testify one APT or another . There be various ingredient that prompt researcher of APT32 , besides cognise as OceanLotus , a Vietnamese APT distrust to be responsible for for blast against BMW and Hyundai in 2019 , Malwarebytes articulate , all the same .