Exploit of VMware Vulnerability for DDoS, Ransomware or Cryptomining
Category: Ransomware News | Industry: N/A | Level: Tactical | Source: Fortinet
Fortinet researchers discovered threat actors exploiting a patched VMware server-side template injection vulnerability/CVE-2022-22954 to distribute Mirai for distributed-denial-of-service (DDoS) attacks, ransomware tool RAR1ransom which abuses WinRAR to lock files and XMRIG to mine for Monero crypto-coins. Prior to August 2022, attacks utilizing the vulnerability had simply probed the compromised host for credentials and system files. Recent payloads target Linux and Windows systems using bash and PowerShell scripts, downloaded from Cloudflare IPFS gateway to set the stage for the attacker's objective. Seven files can be used for initialization and if Cloudflare is unreachable, each file has a backup link on the attacker's domain - crustwebsites[.]net. The initialization files can download the executable for ransomware, install the cryptominer or scan the host to remove cryptominers to install the attacker's own cryptominer. Ransomware attacks use the RAR1Ransom tool to abuse WinRAR to lock targeted files on the host with a password. The locked files are appended with the "rar1" extension and a ransom note dropped by the attack, demanding payment of 2XMR tokens.
Anvilogic Use Cases:
- VMware ONE CVE-2022-22954
- Invoke-WebRequest Command
- File Download (Unix)