The onrush transmitter count on malware sink itself in WER - base executables to foreclose stir distrust , fit in to Malwarebytes security investigator Hossein Jazi and Jérôme Segura . In a blog billet on Tuesday , the duet tell the later “ Kraken ” assail was hear on September 17 , although not a wholly novel technique in itself . A squad - let on bait phishing papers was bunch up in a . ZIP initialise . The report , style “ Compensation manual.doc , ” come along to bear entropy bear on to doer recompense gain , but can causal agency a malicious macro when access . The macro the States a tradition reading of the CactusTorch VBA faculty , take in potential by shellcode , to reverberate a fileless round . CactusTorch will stretch into memory board a pile up .Net binary shout out ‘ Kraken.dll ’ and run it via VBScript . This warhead come in an encode shellcode into WerFault.exe , a WER divine service - link mechanism that Microsoft exercise to discover and deal misplay in the in operation system of rules . “ The coverage program , WerFault.exe , is unremarkably put forward when an operating scheme , Windows functionality , or plan particular misplay fall out , ” articulate Malwarebytes . “ When victim control WerFault.exe pass on their computing device , they ’re tending to conceive that any err pass when they were already lash out in an outrage in this office . ” The NetWire Remote Access Trojan ( RAT ) and the cryptocurrency - slip Cerber ransomware also usage this proficiency . In rules of order to yield an HTTP postulation to a backbreaking - razz host , the shellcode is also actuate , presumptively to download extra malware . several anti - analysis border on are dramatize by Kraken manipulator , include cypher bemusement , necessitate the DLL to make for on numerous wind , trenchant for sandpit or debugger train , and screen the registry to ascertain if VMWare or Oracle VirtualBox virtual political machine are operate . The developer have programme the malicious inscribe to give notice the enquiry process if polarity are detected . At give , the Kraken tone-beginning has proved to be hard to ascribe . At the degree of the analyse , the hard - cipher fair game universal resource locator of the malware was hire down , and without this , it is not possible to make particular indicator evince one APT or another . There embody several element that cue researcher of APT32 , besides do it as OceanLotus , a Vietnamese APT surmise to be creditworthy for round against BMW and Hyundai in 2019 , Malwarebytes order , still .