2022-10-25

Exploit of VMware Vulnerability for DDoS, Ransomware or Cryptomining

Level: 
Tactical
  |  Source: 
Fortinet
Share:

Exploit of VMware Vulnerability for DDoS, Ransomware or Cryptomining

Category: Ransomware News | Industry: N/A | Level: Tactical | Source: Fortinet

Fortinet researchers discovered threat actors exploiting a patched VMware server-side template injection vulnerability/CVE-2022-22954 to distribute Mirai for distributed-denial-of-service (DDoS) attacks, ransomware tool RAR1ransom which abuses WinRAR to lock files and XMRIG to mine for Monero crypto-coins. Prior to August 2022, attacks utilizing the vulnerability had simply probed the compromised host for credentials and system files. Recent payloads target Linux and Windows systems using bash and PowerShell scripts, downloaded from Cloudflare IPFS gateway to set the stage for the attacker's objective. Seven files can be used for initialization and if Cloudflare is unreachable, each file has a backup link on the attacker's domain - crustwebsites[.]net. The initialization files can download the executable for ransomware, install the cryptominer or scan the host to remove cryptominers to install the attacker's own cryptominer. Ransomware attacks use the RAR1Ransom tool to abuse WinRAR to lock targeted files on the host with a password. The locked files are appended with the "rar1" extension and a ransom note dropped by the attack, demanding payment of 2XMR tokens.

Anvilogic Use Cases:

  • VMware ONE CVE-2022-22954
  • Invoke-WebRequest Command
  • File Download (Unix)

Get trending threats published weekly by the Anvilogic team.

Sign Up Now