Skip links

Hackers exploit critical VMware flaw to drop ransomware, miners



Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.

The issue leveraged in the attacks is CVE-2022-22954, a remote code execution bug triggered through server-side template injection.

Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.

VMware released security updates when the flaw was disclosed on April 6. Once proof-of-concept (PoC) exploits became publicly available, the product quickly became a target for threat actors.

Within two weeks of the disclosure, BleepingComputer reported about the active exploitation of CVE-2022-22954 by APT35, a.k.a. Rocket Kitten, to backdoor vulnerable servers.

In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.

New campaigns

Starting August, Fortinet saw a change in the attacks, which went from targeted data-exfiltration attempts to cryptominers, file-lockers, and DDoS enlisting from a Mirai variant.

One interesting case is a pair of Bash and PowerShell scripts targeting Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.

The PowerShell script (“init.ps1”) downloads the following files from a Cloudflare IPFS gateway:

phpupdate.exe: Xmrig Monero mining software
config.json: Configuration file for mining pools
networkmanager.exe: Executable used to scan and spread infection
phpguard.exe: Executable used for guardian Xmrig miner to keep running
clean.bat: Script file to remove other cryptominers on the compromised host
encrypt.exe: RAR1 ransomware

If the Cloudflare resource is unavailable for any reason, the malware uses a backup link at “crustwebsites[.]net”.

RAR1Ransom attack

RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim’s files and lock them with a password.

Abuse of ‘rar.exe’ to lock down files (Fortinet)

RAR1Ransom does this to a specific list of file types, like most ransomware strains, and eventually appends the “rar1” extension.

File types targeted by RAR1Ransom (Fortinet)

Eventually, the malware drops a ransom note requesting the payment of 2 XMR to a provided wallet address, which today corresponds to about $140.

Ransom note dropped by RAR1Ransom (Fortinet)

Although there is no encryption, the files are still unavailable without a valid password.

Local mining and spread

According to Fortinet, the threat actor uses the same Monero address in the ransom note to mine cryptocurrency on compromised Windows or Linux hosts using GuardMiner.

The Monero mining pool address used by the miner (Fortinet)

Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.

In the variant used in the recent attacks, GuardMiner can spread to other hosts via the “networkmanager.exe” module by fetching and using exploits from a security-testing GitHub repository.

Flaws used by the miner for spreading (Fortinet)

Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet’s report indicates that many systems remain vulnerable.

The dangers have now shifted from limited-scale targeted attacks to large-scale infections using entire malware sets, while the inclusion of RAR1Ransom exposes companies to the risk of data loss.

Adblock test (Why?)