Windows WMI used for malware

Trend Micro’s engineer Lennard Galang has written a blog post about two pieces of malware that leveraged a Windows service, Windows Management Instrumentation (WMI), to execute their malicious routines.

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems.

WMI can be considered a database that contains information on anything and everything related to a system’s OS and its users. As WMI contains a huge chunk of data, cybercriminals find it a very likely target for their malicious creations. They can, for instance, introduce specialized pragma to the service to make affected systems do their malicious bids such as: Mine sensitive information that can only be accessed by the said service, Elevate a malicious user’s system privilege to spy on and probe the affected system and other systems connected to the same network and Embed malicious scripts into target services

In this particular attack, TROJ_WMIGHOST.A, a WMI script, arrives on a system bundled with BKDR_HTTBOT.EA, a DLL malware. The malicious script opens two Internet browser windows. The first window allows BKDR_HTTBOT.EA to execute via an ActiveX content. The second window allows the backdoor to post Office files (e.g., Word, PowerPoint, or Excel) to a remote site and to execute other malicious scripts from the Ghost IP. These backdoor routines puts users at risk of losing pertinent data.