Hackers Abusing Windows Management Interface Command Tool to Deliver Malware That Steal Email Account Passwords

Cybercriminals are continuing to innovate and use legitimate tools to deliver the malicious file, with this new campaign attacker used WMIC (Windows Management Interface Command) to deliver the information-stealing malware.

WMIC is a command line interface that allows users to run WMI operations, which used to get the status of the local or remote computer systems. The use of legitimate tools allows threat actors to fly under the radar of security products.

Researchers from Symantec observed malware authors abusing WMIC to download the information-stealing malware.

How the attack works

Attackers use to deliver a shortcut file (.lnk) through URL or link in email or as an attachment, once the user opens the file contains a WMIC command, it downloads the malicious file from the attacker’s remote server.

The file downloaded from the remote server is the malicious XSL(eXtensible Stylesheet Language) file and the malicious XSL contains the javascript which is executed using another legitimate application mshta[.]exe used in running Microsoft HTML Application Host.

Researchers said the JavaScript contains a list of 52 domains and it chooses a random URL as well as the random port between 25010-25099 to download the HTA file.

The HTA file also has randomization option to download other files, most of them are DLLs compiled with programming language Delphi.

Then HTA would launch the DLL hwasrhela64196155383.dll file with RegSvr32.exe, which is a direct executable and it loads additional DDL, the final export is BTMEMO used to decrypt and load the DLL files.

The Payload modules downloaded are

Email password stealer
Web browser password stealer
Network Phishing
File browser
Coinminer
Backdoor
Keylogger

The primary payload is an information stealer and the additional modules are downloaded by the URL’s generated by the HTA, the downloaded modules will have .jpg or .gif extensions.

Also Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Guru Baran

Guru is an Ex-Security Engineer at Comodo Cybersecurity. Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Dark Pink APT Group Compromised 13 Organizations in 9 Countries

Dark Pink has successfully targeted 13 organizations across 9 countries, highlighting the extent of their…

6 hours ago

Hackers Exploit Barracuda Zero-Day Flaw Since 2022 to Install Malware

This vulnerability exists due to improper processing, validation, and sanitization of the names of the…

9 hours ago

Critical Jetpack WordPress Flaw Exposes Millions of Website

This vulnerability could be used by authors on a site to manipulate any files in…

1 day ago

Shut Down Phishing Attacks – Types, Methods, Detection, Prevention Checklist

In today's interconnected world, where digital communication and transactions dominate, phishing attacks have become an…

1 day ago

Kali Linux 2023.2 Released – What’s New!

Users of Kali Linux can now upgrade to the 2023.2 version, which has many new…

2 days ago

Google CTF 2023 – Rewards over $32,000 For Winners

CTF (Capture The Flag) exercises have existed for several years. These CTF exercises provide a…

2 days ago