WMI Ghost
Description
(Trend Micro) The malware used in the Luckycat campaign, detected by Trend Micro as TROJ_WIMMIE or VBS_WIMMIE, connects to a C&C server via HTTP over port 80. It is notable because it uses Windows Management Instrumentation (WMI) to establish persistence. VBS_WIMMIE registers a script that works as a backdoor to the WMI event handler and deletes files associated with it or TROJ_WIMMIE. As a result, the backdoor cannot be detected by antivirus software through simple file scanning.The compromised computer posts data to a PHP script that runs on the C&C server, usually count.php.
The initial communication results in the creation of a file on the C&C server that contains information on the compromised computer. Although the file is empty, the file name contains the hostname of the compromised computer, followed by its MAC address, along with the campaign code the attackers use to identify which malware attack caused the compromise: ~[HOSTNAME][MAC_ADDRESS][CAMPAIGN_CODE]
The attacker then creates a file with a name that ends in @.c, which contains a command. [HOSTNAME][MAC_ADDRESS][CAMPAIGN_CODE]@.c
The compromised computer then downloads the file and executes the specified command, which may include any of the following: • Get external IP address • Execute shell command • Download file • Upload file
The compromised computer then sends the output to the C&C server and deletes the command file.
Names
| Name |
|---|
| WMI Ghost |
| Wimmie |
| Syndicasec |
Category
Malware
Type
- Backdoor
- Exfiltration
Information
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
- https://secrary.com/ReversingMalware/WMIGhost/
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
Malpedia
Other Information
Uuid
79ca754c-8547-4c75-b7c9-836e9bf0034f
Last Card Change
2020-05-14