Security firm K7 Security Labs reports that hackers are using the official Windows bug reporting tool to, ironically, spread malware. Since a genuine version of the program is being used for the scam, it goes unnoticed by most antivirus and protection software.

The trick starts with the victim receiving an ISO file (disk image) via email. When you double-click the file, it mounts itself as a new drive, containing the legitimate Windows error reporting program, a file called WeFault.exe. It is by clicking on this file that the infection starts, but it is not the file that is infected with malware.

Source: K7 Security Labs

The executable in the case of this trick is really original and harmless. The scam is in the faultrep.dll file, also contained in the hackers’ ISO. This is yet another official Windows file, used by your bug reporting tool normally – but in this case faultrep.dll is contaminated with malicious code.

WerFault.exe, when run from the ISO, will load the “closer” faultrep.dll, also contained in the package. This trick even has a name: “DLL sideloading”. In appearance, the program will work as it should, but a Trojan horse, known as Pupy RAT, will also be loaded.

Source: k7 Security Labs

The Pupy RAT can execute remote commands on the infected system, steal data, install other malware and also infect more computers on the network.

This is a dangerous scam that most likely will not be detected by your antivirus. That’s why it’s always recommended to pay extra attention when downloading executable files from the internet, and also to carefully check the sender of your emails. Scammers have specialized in impersonating official accounts to send emails, but often a careful look is enough to tell when this is the case.