Hackers Abusing Windows Command Prompt to Steal Passwords

Hackers can steal your passwords even from the command prompt!

Cybercriminals are moving fast with their dark-minds to innovate and use legitimate tools to deliver the malicious file. With this new campaign attacker used Windows Management Interface Command (command prompt) to deliver the information-stealing malware.

WMIC is a command line interface that allows users to run WMI operations, which used to get the status of the local or remote computer systems. The use of legitimate tools allows attackers to fly under the radar of security products.

Symantec researchers observed malware authors abusing WMIC to download the information-stealing malware.

How the attack works via command prompt

Attackers use to deliver a shortcut file (.lnk) through URL or link in email or as an attachment. Once the user opens the file contains a WMIC command, it downloads the malicious file from the attacker’s remote server.

The file downloaded from the remote server is the malicious XSL(eXtensible Stylesheet Language) file and the malicious XSL contains the javascript. And which is executed using another legitimate application mshta.exe used in running Microsoft HTML Application Host.

According to researchers, the JavaScript contains a list of 52 domains. From that domains, it chooses a random URL as well as the random port between 25010-25099 to download the HTA file.

random url that downloads the HTA file
URL used to download HTA file

The HTA file also has randomization option to download other files, most of them are DLLs compiled with programming language Delphi.

Then HTA would launch the DLL hwasrhela64196155383.dll file with RegSvr32.exe, which is a direct executable and it loads additional DDL, the final export is BTMEMO used to decrypt and load the DLL files.

The Payload modules downloaded are:

  • Email password stealer
  • Web browser password stealer
  • Network Phishing
  • File browser
  • Coinminer
  • Backdoor
  • Keylogger

The primary payload is an information stealer and the additional modules are downloaded by the URL’s generated by the HTA, the downloaded modules will have .jpg or .gif extensions.

Credit: GBHackers

CEH Course In pune | Slink

Leave a Reply

Your email address will not be published. Required fields are marked *