Log4Shell and Coinminers

Industry: N/A | Level: Operational | Source: BlackBerry

BlackBerry Research & Intelligence and Incident Response (IR) identified attacks from threat group, Prophet Spider, leveraging the Log4j vulnerability against the VMware Horizon platform. Attacks associated with the vulnerability were identified largely from monitoring child processes associated with ws_TomcatService.exe, leading to the execution of scripting interpreters for Powershell or cmd. Following post-exploitation, additional tools could be downloaded with PowerShell via encoded commands or invoke-expression, or from curl. To maintain persistence, scheduled tasks were created along with web shells. Lastly, clean-up of files was also observed to remove indicators.

• Anvilogic Scenarios:
• Cryptominer Install
• Common Log4Shell Payload
• Anvilogic Use Cases:
• Potential CVE-2021-44228 - Log4Shell
• Executable Create Script Process
• Command Shell Executed by Process