We recently observed malware authors using a combination of a tool found on all Windows computers and a usually innocuous file type associated with modifying and rendering XML documents. While these two things—the Windows Management Instrumentation Command-line (WMIC) utility and an eXtensible Stylesheet Language (XSL) file—would not normally raise suspicion if found on a computer, in this case they’re used as part of a multistage infection chain that delivers a modular information-stealing threat.
The use of WMI by cyber criminals is not new; however, the tool is typically used for propagation but in this case is used to download a malicious file.
The use of WMIC is beneficial for the attackers as it helps them to remain inconspicuous and also provides them with a powerful tool to aid them in their activities. The WMIC utility provides a command-line interface for WMI, which is used for an array of administrative capabilities for local and remote systems and can be used to query system settings, stop processes, and locally or remotely execute scripts. Parallels can be drawn between WMIC and PowerShell, another legitimate tool which is also found on Windows systems and is increasingly being abused by cyber criminals. PowerShell’s popularity among cyber criminals was highlighted when Symantec saw a 661 percent increase in malicious PowerShell activity from H2 2017 to H1 2018.