0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: markpepapa
April 28, 2018

Crypto-mining Malware: Evade AV Detection with WMI

By: markpepapa
April 28, 2018
By: markpepapa
April 28, 2018

Unlike ransomware which attacks all your important files and takes them as hostages, a crypto mining malware does not attack any of your files. Instead, it “borrows” your computational resources to do bitcoin mining for the attacker. It can take down a high-end server in just a few minutes by utilizing the CPU up to 90% or even more. Recent crypto mining malware like the one I describe in this post can evade most antivirus scanner due to its unique ability in hiding its payload. It still dropped some malicious file which can easily detect and be removed by antivirus, but it is also hiding some payloads in Windows WMI Class.

Cryptomining malware using XMRig consume CPU resource more than 99%

One of the variants I found has the ability to:

  • Abuse WMI class for persistence
  • Read credentials using the Mimikatz module
  • Lateral movement, using the netstat command to identify the next target
  • Use EternalBlue to exploit the next target machine without a credential
  • Setup a scheduler to run malicious process
  • Use PowerShell and command line script to create a new malicious process and maintain persistence
  • Drop various malicious files on the victim computer
  • Contact C2 server using PowerShell script to download the next stage of payload and install bitcoin miner agent

This malware abuse EventConsumer class in WMI to schedule execution of a malicious command. It works like a Task Scheduler in Windows, but it is more obscured since WMI is rarely used to schedule a task. Most system administrators will look at Task Scheduler when they deal with malware persistence. Most antivirus also cannot scan payload in WMI. So this is a perfect method for persistence.

When your system is infected you will find something like this:

Win32_Services, the fake class created by malware

The class in above picture is a fake class created by malware. Using wbemtest.exe, I was able to locate this class in the rootdefault namespace. Win32_Services does not exist in a clean machine. I identified the name after analyzing the process command line using an EDR (Endpoint Detection and Response) solution. You can also use Task Manager to display command line column and check suspicious process one by one.

EDR detected malicious process and blocked it
EDR records command line of each running process

If you are wondering what the purpose of those properties in Win32_Services class, here is the explanation:

  • mon = Monero CPU miner
  • mimi = Mimikatz, a credential harvesting tool
  • funs = Combination of publicly available scripts to achieve remote DLL loading via WMI and obfuscated EternalBlue
  • i17 = contains IPs with SMBv1 vulnerability
  • ipsu = contains IPs which can be accessed using stolen credentials
  • sc = shellcode used to download payload from C2 server

In my environment, this malware uses the following malicious name:

  • Win32_Services, this malicious class was found in the rootdefault namespace
  • DSM Event Log Consumer, this malicious instance was found in rootsubscription namespace
  • DSM Event Log Filter, this malicious instance was found in rootsubscription namespace

How to manually detect a presence of malware in WMI

According to a publication by FireEye entitled “Windows Management Instrumentation (WMI) Offense, Defense, and Forensic,” there are three things required to install a permanent WMI event subscription:

  1. An event filter — The event of interest
  2. An event consumer — An action to perform upon triggering an event
  3. A filter to consumer binding — The registration mechanism that binds a filter to a consumer

I use following commands to find payloads in rootsubscription namespace which is commonly used to maintain persistence.

wmic/namespace:\rootsubscription PATH __EventConsumer get/format:list
wmic/namespace:\rootsubscription PATH __EventFilter get/format:list
wmic/namespace:\rootsubscription PATH __FilterToConsumerBinding get/format:list
wmic/namespace:\rootsubscription PATH __TimerInstruction get/format:list

Here are some examples found in my environment:

Payload found in __EventConsumer instance
Payload found in __EventConsumer instance

To easily copy the encoded payload, we can save the output directly to a file using this command:

wmic/namespace:\rootsubscription PATH __EventConsumer get/format:list > payload.txt

To decode the script, we can use online service like https://www.base64decode.org/

Payload found in __EventFilter instance.
Payload found in __FilterToConsumerBinding instance

How to Remove Cryptomining Malware WMI Persistence

I created a simple PowerShell script to automate most of the cleaning process:

foreach($ip in Get-Content .serverlist.txt) {#save all target IP in serverlist.txt Write-Output “===================================” Write-Output “Processing $ip …” Write-Output “===================================” #these lines are used to kill malicious process which can be identified by their command line or path wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE wmic /node:$ip process WHERE “ExecutablePath=’C:\ProgramData\UpdateService.exe’” CALL TERMINATE wmic /node:$ip process WHERE “ExecutablePath=’C:\ProgramData\AppCache\17_\java.exe’” CALL TERMINATE wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
#change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment wmic /node:$ip /NAMESPACE:”\rootdefault” Class Win32_Services DELETE wmic /node:$ip /NAMESPACE:”\rootsubscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE wmic /node:$ip /NAMESPACE:”\rootsubscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE wmic /node:$ip /NAMESPACE:”\rootsubscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE}

To use this script, first, you need to identify the name of malicious class and instance. The first block of codes is used to kill all malicious processes. The second one is used to remove all WMI classes and instances containing the encoded payload. For more information about removing this malware, please see some sample scripts on my Github page

Conclusion

Modern malware is starting to use legitimate windows tool and application to execute payload and move around the network. We really can’t just focus on prevention. No matter how good your preventive solution, someday it will be bypassed. So you should be ready to detect and respond quickly. Having an Endpoint Detection and Response (EDR) is a good addition to your existing security solution. EDR can provide visibility in all critical endpoints and also can assist your security team in malware analysis or hunt down an attacker.

Another thing that sometimes overlooked is Least Privilege principle. For example, domain administrator should not be used to manage and maintain a domain member server. Critical servers should not use the same service account running on noncritical servers. You might also consider implementing a Privilege Access Management (PAM) to limit the impact when an attacker can compromise a server. A PAM solution will limit the lateral movement and also can detect a presence of illegal activity.

Last but not least, patching a critical vulnerability especially the one that can allow an attacker to do remote code execution like CVE-2017–0143 / MS17–010 is important.

Further readings

Join over 2 million IT and cyber professionals advancing their careers

OR REGISTER WITH

Google

Already have an account? Sign In »

Ready to Share Your Original Content?

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry