Windows Utility Used by Malware! It Is a Big Problem!

Windows Utility Used by Malware!

It is said that the WMIC-based payloads show that how computer attackers turn to innocuous system processes to harm your computers. Windows utility used by malware! Really? You can keep on reading.

Some researchers disclosed a new attack chain. This attack chain can exploit some seldom used Windows utilities and innocuous programs to run under the radar to steal files from your computer.

Said by Symantec, this new malware campaign is the exact example of “Living off the land” which is called by the company.

Download/Run/Update/Del Windows Malicious Software Removal Tool

In this post, we will show you how to download & run, update, and remove Windows Malicious Software Removal Tool on Windows 11/10.

Read More

That is to say now the computer attackers begin to turn to the utilities and programs which are already available on their target computer, such as the legitimate tools and processes. Also, it can run some simple scripts & shellcode in the computer memory, and perform some fileless attacks.

The threat actors pay more and more attention to the homegrown software rather than introducing foreign malware into the Windows system. Thus, the malware can be undetected for a longer time, and the risk of being exposed can be minimized.

This new system attack chain keeps this technique in mind.

How does the Campaign Works?

This campaign has been discovered by Symantec. It is found that utilizing a tool on all of Microsoft Windows computer which is called the Windows Management Instrumentation Command-line (WMIC) utility.

This Windows process can supply you with a command-line interface for the Windows Management Interface (WMI). And this WMI can be used to make administrative tasks on both local and remote systems. On the other hand, it can be used to query system settings, control process, as well as execute scripts.

Here, you need to know another thing: eXtensible Stylesheet Language (XSL) files. Both of these combined two are being exploited as a part of a multi-stage infection chain which can be used to steal information from Windows machines secretly.

How does the attack works? It begins with a phishing campaign which contains a shortcut link. This link can be delivered through a URL. When the Windows user clicks on this malicious link, the shortcut file which has a WMIC command can download the malicious XSL files from a remote server.

Moreover, this XSL file contains a JavaScript which can be executed by the use of mshta.exe. What is mshta.exe? The genuine mshta.exe is a software component of Microsoft HTML Application Host.

Is JavaScript innocent? Not really! Actually, the JavaScript has a lost which contains 52 domains. They can be used to generate a domain randomly and port number to download HTML Application (HTA) files and three DLLs. Then they are registered to regsvr32.exe and the main payload.

After that, some additional modules are downloaded which lead to the compromise of the user’s computer.

The payload contains some modules which are suitable to steal information. For example, the MailPassview utility can be used to capture email password; Web Browser Passview software can be used to obtain web browser credentials, and a file browser for viewing and exfiltrating files.

Another utility is PowerShell. It is also being targeted by threat creaters.

The threats from this malware come from all directions. To protect your personal information, you can download and install some anti-virus software on your computer.

If data loss issue happens, you can use the free data recovery software – MiniTool Power Data Recovery to recover your data and then remove the malware with anti-virus software.

MiniTool also provides Ransomware Prevention solution for you.