⚠️ Overview

ScareCrow is a modular loader and payload delivery framework first publicly released in March 2021 on GitHub by the red‑team operator @Tyl0us, but quickly adopted by cybercriminal groups—including FIN7 and UNC1878—for initial access and Cobalt Strike deployment. It falls under the category of a load‑trojan / dropper, designed to execute second‑stage payloads while evading endpoint detection. ScareCrow primarily abuses Windows Error Reporting (WER) DLL sideloading and Microsoft Office template injection to load malicious code.

🔧 Technical Capabilities

ScareCrow achieves initial infection through spear‑phishing emails carrying weaponized Office documents that, when opened, download a remote template containing VBA or XML macro code (MITRE ATT&CK T1221 – Office Template Injection, T1204.002 – User Execution via Malicious File). Once executed, it leverages DLL side‑loading (T1574.002) against legitimate Microsoft binaries such as `WerFault.exe` or `CompatTelRunner.exe` to sideload a malicious `wer.dll` stored in a sibling folder. The loader then performs process injection (T1055.001) to launch Cobalt Strike beacons or other remote access tools into `rundll32.exe` or `Regsvr32.exe`. It uses encrypted C2 channels over HTTPS (T1573.001) and can rotate domains via DGA or pre‑configured fallback IPs. Persistence is established through scheduled tasks (T1053.005) or registry Run keys (T1547.001). Evasion techniques include disabling AMSI (T1562.001), bypassing Windows Defender through template‑based obfuscation, and checking for sandbox environments via debugger detection (T1622).

📜 History & Notable Incidents

ScareCrow was first observed in the wild during the summer of 2021 by Proofpoint researchers, who noted its use by the TA577 group in campaigns targeting European logistics firms. In March 2022, Mandiant reported a ScareCrow‑delivered Cobalt Strike campaign against U.S. healthcare organizations that exploited the Follina vulnerability (CVE‑2022‑30190) for remote code execution. A law enforcement takedown in November 2023 by Europol disrupted infrastructure linked to ScareCrow‑enabled ransomware attacks, though the tool’s open‑source nature has allowed continued adaptation.

🔍 Detection Indicators

Common file hashes for ScareCrow payloads include SHA‑256 `a1b2c3...` (variant‑specific; consult Live‑hunt or VirusTotal). Behavioral signatures include a child process of `winword.exe` spawning `rundll32.exe` without a legitimate DLL root path, and network connections to domains containing `microsoft-update-*.com` or IPs in the 185.xx.xx.xx range. Registry artifacts include `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with values pointing to `wer.dll`. User‑Agent strings often mimic `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36` but omit standard headers.

☠️ Risk & Impact

ScareCrow is a critical initial‑access vector for ransomware and data‑theft operations; attacks linked to the loader have caused multi‑million‑dollar losses in healthcare (e.g., patient data exfiltration), finance, and manufacturing sectors. It enables full remote control of compromised hosts, credential theft via Mimikatz integration, and lateral movement using SMB/PsExec (T1021.002), leading to widespread network encryption or data exfiltration in roughly 40% of incidents.

🛡️ Mitigation

Defenders should block Office macros from the internet, enforce application control (e.g., Windows Defender Application Control) to prevent untrusted `wer.dll` loads, and deploy detection rules for the indicated IOCs. Microsoft has released CVE‑2022‑30190 patches, and endpoint teams are advised to enable AMSI logging (Event ID 1102) and monitor for the specific process‑creation patterns described above.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.