We recently observed malware authors using a combination of a tool found on all Windows computers and a usually innocuous file type associated with modifying and rendering XML documents. While these two things—the Windows Management Instrumentation Command-line (WMIC) utility and an eXtensible Stylesheet Language (XSL) file—would not normally raise suspicion if found on a computer, in this case they’re used as part of a multistage infection chain that delivers a modular information-stealing threat.
