Several cyber situations have arisen from attackers exploiting existing Microsoft Windows resources. In a new example of “living off the land”, researchers have discovered an attack that exploits a Windows utility. When implemented, the malware runs undetected and allows the bad actor to steal data.
By the way, that catchy “living off the land” is Symantec’s wording. The company uses their phrase for malware that exploits legitimate utilities and processes on the target machine. It is an attack method Symantec says is becoming increasingly common.
Researchers for the company discovered the latest Windows exploit and says it is a classic example of “living off the land”.
The attack exploits something called the Windows Management Instrumentation Command-line (WMIC). This is a utility found in all Windows PCs and is a legitimate process. In fact, it manages administrative tasks on systems and can be used for various roles. For example, on remote or local systems, WMIC can control processes and execute scripts.
Those two capabilities alone show how dangerous it would be if WMIC is exploited on a PC. Symantec says hackers have found a way to do just that, alongside an exploit for eXtensible Stylesheet Language (XSL files).
Malware
Attackers are setting up a malware chain to enact the exploit. The chain starts with a classic bit of phishing, tricking unwitting users into clicking a URL-delivered shortlink. This link contains the malware file containing a WMIC command. In turn, it downloads an infested XSL file from a remote server.
Again, this is a classic case of not clicking on a link if you are in anyway unsure of its origin. Still, it is clear many people still do click links and get caught.
Inside the malicious XSL file is a JavaScript execution, which is actually an legitimate Windows process for the HTML Application Host. Of course, this particular JavaScript is loaded with malicious content. Specifically, 52 domains used to create a random domain and port number to download the malware content.
- These downloaded files include three DLL files, which are then registered using the legitimate Windows command-line utility regsvr32.exe, as well as the main payload. The downloaded DLLs are Delphi compiled executables.
- The HTA script launches one of the DLLs (hwasrhela64196155383.dll) with RegSvr32.exe. The important part here is that this DLL does not contain any exports, so it can be used directly as an executable. Once hwasrhela64196155383.dll is launched, it loads another DLL (either %UserProfile%\tempwj\hwasrhela98.dll for 32-bit systems or %UserProfile%\tempwj\hwasrhela64.dll for 64-bit systems). This DLL contains only one export named BTMEMO, which is used for decrypting and loading DLL files.
- The main payload is an information stealer with several multibit XOR-encrypted modules. All the modules are downloaded from URLs generated by the HTA file. The modules have either a .jpg or .gif extension.
