It is highly recommended to implement and maintain email security controls, including the ability to block certain file attachments. ISO files have become extremely popular among threat actors as a way to initially get malware on to the system while also evading defenses. In this campaign, the threat actors attach the ISO directly to a phishing email received by the end user. By being able to block incoming emails that contain ISO (or IMG) attachments, an organization can help prevent campaigns like this one from being able to infect devices in the first place. It is also recommended to maintain proper security endpoint controls, such as an EDR, on all devices within an organization. EDRs may be able to detect and prevent malicious activity before it is able to completely compromise a system. In cases where prevention does not occur, detections can be created to help alert security analysts to a potential infection. The infection vector used by these threat actors contains a number of suspicious behaviors that can be alerted upon. These would include scriptrunner.exe being used to proxy the execution of an abnormal process, WerFault.exe executing from a location outside of the normal C:\Windows\System32 directory, WerFault.exe spawning an Excel process, and WerFault.exe making consistent, outbound network requests to abnormal IP addresses. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/
