Cryptomining malware is using WMI to evade antivirus detection

Unlike ransomware which attacks all your important files and take them as hostages, a cryptomining malware does not attack any of your file. Instead, it “borrows” your computational resources to do bitcoin mining for the attacker. It can take down a high end server in just a few minutes by utilising the CPU up to 90% or even more. Recent cryptomining malware like the one I describe in this post, can evade most antivirus scanner due to its unique ability in hiding its payload. It still dropped some malicious file which can easily detected and removed by antivirus, but it is also hiding some payloads in Windows WMI Class.

One of the variant I found has ability to:

This malware abuse EventConsumer class in WMI to schedule execution of malicious command. It works like a Task Scheduler in Windows, but it is more obscured since WMI is rarely used to schedule a task. Most system administrator will be looking at Task Scheduler when they are dealing with malware persistence. Most antivirus also do not have ability to scan payload in WMI. So this is a perfect method for persistence.

When your system is infected you will find something like this:

In my environment, this malware uses the following malicious name:

According to a publication by Fireeye entitled “Windows Management Instrumentation (WMI) Offense, Defense and Forensic”, there are 3 things required to install a permanent WMI event subscription:

I use following commands to find payloads in root\subscription namespace which is commonly used to maintain persistence.

Here are some examples found in my environment:

To easily copy the encoded payload, we can save the output directly to a file using this command:

I created a simple powershell script to automate most of the cleaning process:

Modern malware starting to use legitimate windows tool and application to execute payload and move around the network. We really can’t just focus on prevention. No matter how good your preventive solution, someday it will be bypassed. So you should be ready to detect and response quickly. Having an Endpoint Detection and Response (EDR) is a good addition to your existing security solution. EDR can provides visibility in all critical endpoints and also can assists your security team in malware analysis or hunting down an attacker.

Another thing that sometimes overlooked is Least Privilege principle. For example, domain administrator should not be use to manage and maintain a domain member server. Critical servers should not use the same service account running on non critical servers. You might also consider implement a Privilege Access Management (PAM) to limit the impact when an attacker is able to compromised a server. A PAM solution will limit the lateral movement and also can detect a presence of illegal activity.

Last but not least, patching a critical vulnerability especially the one that can allow attacker to do remote code execution like CVE-2017–0143 / MS17–010 is really important.

Related posts:

ChatGPT is a powerful tool for creating, analysing and curating information with Artificial Intelligence. ChatGPT is a big language model created by OpenAI that can interpret natural language and…