Thursday, April 18, 2024

Hackers Abusing Windows Management Interface Command Tool to Deliver Malware That Steal Email Account Passwords

By Guru baran

Cybercriminals are continuing to innovate and use legitimate tools to deliver the malicious file, with this new campaign attacker used WMIC (Windows Management Interface Command) to deliver the information-stealing malware.

WMIC is a command line interface that allows users to run WMI operations, which used to get the status of the local or remote computer systems. The use of legitimate tools allows threat actors to fly under the radar of security products.

Researchers from Symantec observed malware authors abusing WMIC to download the information-stealing malware.

How the attack works

Attackers use to deliver a shortcut file (.lnk) through URL or link in email or as an attachment, once the user opens the file contains a WMIC command, it downloads the malicious file from the attacker’s remote server.

The file downloaded from the remote server is the malicious XSL(eXtensible Stylesheet Language) file and the malicious XSL contains the javascript which is executed using another legitimate application mshta[.]exe used in running Microsoft HTML Application Host.

Researchers said the JavaScript contains a list of 52 domains and it chooses a random URL as well as the random port between 25010-25099 to download the HTA file.

information-stealing malware

The HTA file also has randomization option to download other files, most of them are DLLs compiled with programming language Delphi.

Then HTA would launch the DLL hwasrhela64196155383.dll file with RegSvr32.exe, which is a direct executable and it loads additional DDL, the final export is BTMEMO used to decrypt and load the DLL files.

The Payload modules downloaded are

Email password stealer
Web browser password stealer
Network Phishing
File browser
Coinminer
Backdoor
Keylogger

The primary payload is an information stealer and the additional modules are downloaded by the URL’s generated by the HTA, the downloaded modules will have .jpg or .gif extensions.

Also Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Managed WAF Protection

Website

Latest articles

Vulnerability

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...
Cyber Attack

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...
Cyber Attack

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...
Android

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...
cyber security

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...
Cisco

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Cyber Crime

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]