Attackers Abuse WMIC to Download Malicious Files

Malware authors use WMIC and a host of other legitimate tools to deliver information-stealing malware, highlighting the continued use of living off the land tactics.

We recently observed malware authors using a combination of a tool found on all Windows computers and a usually innocuous file type associated with modifying and rendering XML documents. While these two things—the Windows Management Instrumentation Command-line (WMIC) utility and an eXtensible Stylesheet Language (XSL) file—would not normally raise suspicion if found on a computer, in this case they’re used as part of a multistage infection chain that delivers a modular information-stealing threat.

The use of WMI by cyber criminals is not new, however, the tool is typically used for propagation but in this case is used to download a malicious file.

Read more…
Source: Symantec