Crypto-mining Malware: Evade AV Detection with WMI

Unlike ransomware which attacks all your important files and takes them as hostages, a crypto mining malware does not attack any of your files. Instead, it “borrows” your computational resources to do bitcoin mining for the attacker. It can take down a high-end server in just a few minutes by utilizing the CPU up to 90% or even more. Recent crypto mining malware like the one I describe in this post can evade most antivirus scanner due to its unique ability in hiding its payload. It still dropped some malicious file which can easily detect and be removed by antivirus, but it is also hiding some payloads in Windows WMI Class.

One of the variants I found has the ability to:

• Abuse WMI class for persistence
• Read credentials using the Mimikatz module
• Lateral movement, using the netstat command to identify the next target
• Use EternalBlue to exploit the next target machine without a credential
• Setup a scheduler to run malicious process
• Use PowerShell and command line script to create a new malicious process and maintain persistence
• Drop various malicious files on the victim computer
• Contact C2 server using PowerShell script to download the next stage of payload and install bitcoin miner agent

This malware abuse EventConsumer class in WMI to schedule execution of a malicious command. It works like a Task Scheduler in Windows, but it is more obscured since WMI is rarely used to schedule a task. Most system administrators will look at Task Scheduler when they deal with malware persistence. Most antivirus also cannot scan payload in WMI. So this is a perfect method for persistence.

When your system is infected you will find something like this:

The class in above picture is a fake class created by malware. Using wbemtest.exe, I was able to locate this class in the rootdefault namespace. Win32_Services does not exist in a clean machine. I identified the name after analyzing the process command line using an EDR (Endpoint Detection and Response) solution. You can also use Task Manager to display command line column and check suspicious process one by one.

If you are wondering what the purpose of those properties in Win32_Services class, here is the explanation:

• mon = Monero CPU miner
• mimi = Mimikatz, a credential harvesting tool
• funs = Combination of publicly available scripts to achieve remote DLL loading via WMI and obfuscated EternalBlue
• i17 = contains IPs with SMBv1 vulnerability
• ipsu = contains IPs which can be accessed using stolen credentials
• sc = shellcode used to download payload from C2 server

In my environment, this malware uses the following malicious name:

• Win32_Services, this malicious class was found in the rootdefault namespace
• DSM Event Log Consumer, this malicious instance was found in rootsubscription namespace
• DSM Event Log Filter, this malicious instance was found in rootsubscription namespace

How to manually detect a presence of malware in WMI

According to a publication by FireEye entitled “Windows Management Instrumentation (WMI) Offense, Defense, and Forensic,” there are three things required to install a permanent WMI event subscription:

1. An event filter — The event of interest
2. An event consumer — An action to perform upon triggering an event
3. A filter to consumer binding — The registration mechanism that binds a filter to a consumer

I use following commands to find payloads in rootsubscription namespace which is commonly used to maintain persistence.

Here are some examples found in my environment:

To easily copy the encoded payload, we can save the output directly to a file using this command:

To decode the script, we can use online service like https://www.base64decode.org/

How to Remove Cryptomining Malware WMI Persistence

I created a simple PowerShell script to automate most of the cleaning process:

To use this script, first, you need to identify the name of malicious class and instance. The first block of codes is used to kill all malicious processes. The second one is used to remove all WMI classes and instances containing the encoded payload. For more information about removing this malware, please see some sample scripts on my Github page

Conclusion

Modern malware is starting to use legitimate windows tool and application to execute payload and move around the network. We really can’t just focus on prevention. No matter how good your preventive solution, someday it will be bypassed. So you should be ready to detect and respond quickly. Having an Endpoint Detection and Response (EDR) is a good addition to your existing security solution. EDR can provide visibility in all critical endpoints and also can assist your security team in malware analysis or hunt down an attacker.

Another thing that sometimes overlooked is Least Privilege principle. For example, domain administrator should not be used to manage and maintain a domain member server. Critical servers should not use the same service account running on noncritical servers. You might also consider implementing a Privilege Access Management (PAM) to limit the impact when an attacker can compromise a server. A PAM solution will limit the lateral movement and also can detect a presence of illegal activity.

Last but not least, patching a critical vulnerability especially the one that can allow an attacker to do remote code execution like CVE-2017–0143 / MS17–010 is important.

Further readings

• https://github.com/christofersimbar/WannaMineCleaner
• https://github.com/xmrig/xmrig
• http://la.trendmicro.com/media/misc/understanding-wmi-malware-research-paper-en.pdf
• https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/
• http://www.exploit-monday.com/2016/08/wmi-persistence-using-wmic.html
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf