Log4Shell Vulnerability on VMWare Horizon Servers Exploited
The Lazarus Group, a North Korean advanced persistent threat gang, recently targeted energy companies in Canada, the U.S. and Japan to establish long-term access into victim networks to conduct espionage operations by deploying custom-built malware implants.
The latest campaign tracked by Cisco Talos researchers uncovered that the threat actors exploited vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations, followed by the deployment of the group’s custom-built malware implants, VSingle, YamaBot and a previously unknown malware implant dubbed MagicRAT.
Researchers say that the campaign is to establish long-term access into victim networks to siphon off proprietary intellectual property from unnamed energy companies.
The malicious activity was spotted between February and July 2022 and saw threat actors exploiting the Log4Shell vulnerability on VMWare Horizon public-facing servers in a few campaigns as the initial attack vector (see: Log4Shell Update: VMware Horizon Targeted).
The RATs identified by the researchers, VSingle and YamaBot, are developed and distributed by Lazarus. Japanese CERT (JPCERT/CC) published details about these VSingle and YamaBot RATs and attributed the campaigns to the Lazarus threat actor.
Researchers say they observed several attacks targeting multiple victims, however, two specific attack instances that they assess have been the most “representative of the playbooks employed by Lazarus in this campaign.”
First is the use of the VSingle implant, and the second instance is the deployment of “MagicRAT” along with VSingle. A third intrusion set worth noting was the use of a third bespoke implant known as YamaBot.
With exploiting Log4Shell vulnerability on VMWare Horizon public-facing servers as the initial attack vector, Cisco Talos researchers say that the compromise is followed by a series of activities to establish a foothold on the systems before the attackers deploy additional malware and move laterally across the network.
During the investigation, they uncovered two different foothold payloads. In the first, they used abused node.exe, which is shipped with VMware to execute the oneliner node.exe script, which helps open an “interactive reverse shell that attackers could use to issue arbitrary commands on the infected entry endpoint.”
The other instance is the exploitation of vulnerabilities in VMWare to launch custom PowerShell scripts on the infected endpoint via VMWare’s ws_ConnectionServer.exe.
“Since VMWare Horizon is executed with administrator privileges, the attacker doesn’t have to worry about elevating their privileges. After the interactive shell is established, the attackers perform a preliminary reconnaissance on the endpoint to get network information and directory listings,” researchers say.
In the next step, threat actors deactivate the Windows Defender components through registry key changes, WMIC commands and PowerShell commands.
Upon successfully shutting down the AV on the system using the reverse shell, it enables attackers to deploy the malware implant VSingle.
The whole deployment process involves downloading of a legitimate WinRAR utility from a remote location controlled by the attackers along with an additional payload.
The additional payload downloaded to the endpoint is decompressed and consists of “the VSingle malware executable which is optionally renamed and then persisted on the endpoint by creating an auto-start service.”
Cisco Talos investigations led to the discovery of commands fed to the VSingle backdoor by the attackers to carry out a variety of activities such as reconnaissance, exfiltration and manual backdooring.
In one of the intrusion attempts, the researcher found that the attackers initially deployed VSingle on the endpoint, but later when the sample was detected it was at the risk of losing access to the enterprise. In this case, attackers deployed another variant of VSingle for maintaining continued access, before finally moving to the YamaBot implant.
The custom-made GoLang-based malware family, YamaBot uses HTTP to communicate with its command and control servers and begins by sending preliminary system information about the infected endpoint to the C2: computer name, username and MAC address.
This implant has standard RAT capabilities like list files and directories, sending process information to C2, downloading files from remote locations, executing arbitrary commands on the endpoints, and uninstalling itself.
Discovery of MagicRAT
In a separate victim network, Cisco Talos researchers saw a similar chain of events: initial recon followed by disabling the AV software and the deployment of a bespoke implant.
They also observed lateral movement into other endpoints in the enterprise. “What’s unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems,” researchers say.
In further lateral movements, after the initial access, the attackers conducted limited reconnaissance of the endpoint and deployed two different malware families MagicRAT and VSingle to maintain covert access.
“The attackers then started to perform Active Directory related explorations to identify potential endpoints to laterally move into,” researchers say. “Once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable.”
While investigating, researchers observed the deployment of impacket tools on certain endpoints to move laterally and establish an interactive shell, which was done manually by a human operator.
“While trying to establish interactive remote console sessions, we can see the operators making errors on the commands,” researchers say.
These attackers take their own time to explore the infected machine and whenever a particular file of interest is found they put it on a .rar archive for exfiltration using one of the custom-developed implants running on the system.
The infection chains remained the same, however, some of the other key variations observed by the researchers include optional activities conducted by the APT group in different intrusion attempts:
- Credential Harvesting using tools such as Mimikatz and Procdump.
- Proxy tools to set up SOCKs proxies.
- Reverse tunneling tools such as PuTTY’s plink.