Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
The issue leveraged in the attacks is CVE-2022-22954, a remote code execution bug triggered through server-side template injection.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
VMware released security updates when the flaw was disclosed on April 6. Once proof-of-concept (PoC) exploits became publicly available, the product quickly became a target for threat actors.
Within two weeks of the disclosure, BleepingComputer reported about the active exploitation of CVE-2022-22954 by APT35, a.k.a. Rocket Kitten, to backdoor vulnerable servers.
In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.
New campaigns
Starting August, Fortinet saw a change in the attacks, which went from targeted data-exfiltration attempts to cryptominers, file-lockers, and DDoS enlisting from a Mirai variant.
One interesting case is a pair of Bash and PowerShell scripts targeting Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.
The PowerShell script (“init.ps1”) downloads the following files from a Cloudflare IPFS gateway:
phpupdate.exe: Xmrig Monero mining software
config.json: Configuration file for mining pools
networkmanager.exe: Executable used to scan and spread infection
phpguard.exe: Executable used for guardian Xmrig miner to keep running
clean.bat: Script file to remove other cryptominers on the compromised host
encrypt.exe: RAR1 ransomware
If the Cloudflare resource is unavailable for any reason, the malware uses a backup link at “crustwebsites[.]net”.
RAR1Ransom attack
RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim’s files and lock them with a password.
RAR1Ransom does this to a specific list of file types, like most ransomware strains, and eventually appends the “rar1” extension.
Eventually, the malware drops a ransom note requesting the payment of 2 XMR to a provided wallet address, which today corresponds to about $140.
Although there is no encryption, the files are still unavailable without a valid password.
Local mining and spread
According to Fortinet, the threat actor uses the same Monero address in the ransom note to mine cryptocurrency on compromised Windows or Linux hosts using GuardMiner.
Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.
In the variant used in the recent attacks, GuardMiner can spread to other hosts via the “networkmanager.exe” module by fetching and using exploits from a security-testing GitHub repository.
Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet’s report indicates that many systems remain vulnerable.
The dangers have now shifted from limited-scale targeted attacks to large-scale infections using entire malware sets, while the inclusion of RAR1Ransom exposes companies to the risk of data loss.
