Malware Campaign Exploiting WMIC
A new campaign has been observed using the Windows Management Instrumentation Command-line (WMIC) tool to install a variety of different malware.
WMIC provides administrative capabilities for local and remote systems. It can run and terminate processes, execute files and alter system parameters. WMIC has previously been used by various threat actors to traverse an affected network but is not commonly used as an infection vector.
The campaign uses WMIC scripts delivered via .lnk files. When opened, these scripts download .xsl file containing a JavaScript script that then generates a unique URL. The URLs are used to download an HTML Application (.hta) file that contains the malware payload.
Various payloads have been delivered using this method, including a keylogger, an email and browser password stealer, a cryptocurrency miner, a backdoor and a spam botnet.
The use of WMIC is beneficial for the attackers as it helps them to remain inconspicuous and also provides them with a powerful tool to aid them in their activities. The WMIC utility provides a command-line interface for WMI, which is used for an array of administrative capabilities for local and remote systems and can be used to query system settings, stop processes, and locally or remotely execute scripts. Parallels can be drawn between WMIC and PowerShell, another legitimate tool which is also found on Windows systems and is increasingly being abused by cyber criminals.
Step-by-step
- The attack chain begins with the arrival of a shortcut (.lnk) file delivered via a URL, such as a link in an email, or sent as an email attachment. Once the recipient clicks on the file, the next stage in the attack is initiated.
- The shortcut file contains a WMIC command to download a file from a remote server.
- The downloaded file is a malicious XSL file.
- The XSL file contains JavaScript which is executed using mshta.exe, another legitimate tool often abused by cyber criminals.
- The JavaScript contains a list of 52 domains each assigned an ID number from 1-52. The JavaScript has a function (radador) to randomly generate a number from a range of 1-52, effectively choosing a random domain from the list. In order to generate a unique URL, the JavaScript generates a random number using the radador function, as well as a random port number from 25010-25099, and adds them to the domain to create a download URL.
- The URL is used to download an HTML Application (HTA) file.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.