Security researchers have uncovered the various malware threats increasingly utilize queries to the Windows Management Instrumentation (WMI) infrastructure to avoid detection.
Malware using WMI is the newest tactic to avoid detection
The Windows Management Instrumentation set, also known as WMI, is a set of extensions to the Driver Model used in Windows that allows various components to provide information and notification to the operating system. Security engineers state that there is a rising trend of various malware that abuse the functionality of WMI to avoid detection and infect the victim hosts in a more advanced way.
The attackers use a combination of WMI and PowerShell code to create malicious components that act as persistent threats. Using the framework, the code can detect the type of environment (operating system, architecture, and other important information) and execute different payloads, depending on the host system.
One of the first reported incidents bearing this behavior was identified in 2014. A criminal attack relied upon remote commands crafted in a PowerShell script with in-memory exploits that were used to harvest credentials from the victim system. The hackers used various Windows utilities, custom malware code, and VB scripts, in addition to administration tools. These techniques are easy to use for the criminals and not very easy to trace by the system administrators as some of them are rarely used and relatively unknown.
WMI enables a high-level interaction with objects using various programming languages: C, C++, VBScript, C# and JScript. Criminals use the services to avoid virtualized environments and honeypots. They employ advanced detection capabilities which gives details about the operating system, installed anti-virus tools and sends this information to the remote C&C server which responds with an appropriate payload for the target host.
Various threats have shown that attackers have crafted code that checks for the BIOS version of the computers and even classes that are used by virtual machines. The malware can also kill specific processes to avoid detection and create additional damage.