In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had the intention of deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRaR to deploy encryption, and GuardMiner that is a variant of xmrig used to “mine” Monero.
In this blog, we will elaborate on how these malware leveraged the VMware vulnerability and the behavior after exploitation in more detail.
Affected platforms: VMware Workspace ONE Access and Identity Manager Impacted parties: VMware users Impact: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands Severity level: Critical
Figure 1 CVE-2022-22954 Activity
Mirai Variant
The complete payload from Mirai is shown in Figure 2, it enters temp directory and downloads Mirai variant from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64, then executes with parameter “VMware”.
Figure 2 Attacking traffic capture
Figure 3 Decoded command
Like most Mirai botnets, this variant’s main jobs include deploying DoS and launching a brute force attack. We can decode part of the configuration after we XOR the data with 0x54 and get C2 server is “cnc[.]goodpackets[.]cc”. Following is the decoded strings:
Figure 4 Decoded configuration string
We also identify the brute force function with encoded account and password strings:
Figure 5 Functions for brute force attack
The decoded passwords are listed below, they are commonly used passwords and also some default credentials for well-known IoT devices:
hikvision | 1234 | win1dows | S2fGqNFs |
root | tsgoingon | newsheen | 12345 |
default | solokey | neworange88888888 | guest |
bin | user | neworang | system |
059AnkJ | telnetadmin | tlJwpbo6 | iwkb |
141388 | 123456 | 20150602 | 00000000 |
adaptec | 20080826 | vstarcam2015 | v2mprt |
Administrator | 1001chin | vhd1206 | support |
NULL | xc3511 | QwestM0dem | 7ujMko0admin |
bbsd-client | vizxv | fidel123 | dvr2580222 |
par0t | hg2x0 | samsung | t0talc0ntr0l4! |
cablecom | hunt5759 | epicrouter | zlxx |
pointofsale | nflection | admin@mimifi | xmhdipc |
icatch99 | password | daemon | netopia |
3com | DOCSIS_APP | hagpolm1 | klv123 |
OxhlwSG8 |
After being executed, the variant shows hardcoded string “InfectedNight did its job”, and sends heartbeat along with parameter “VMware”, then it will wait for further commands from C2 server. Below is the traffic session from heartbeat and brute force attack.
Figure 6 Heartbeat traffic capture
Figure 7 Brute force attack session
Initialization Script for RAR1Ransom and GuardMiner
Another noticeable payload is from 67[.]205[.]145[.]142. It contains two sessions, each has different commands depending on the victim’s operation system. One leveraged PowerShell to download “init.ps1”, the other uses curl, wget, and urlopen in Python library to download “init.sh”.
Figure 8 Attack traffic capture for Windows
Figure 9 Attack traffic capture for Linux
From the PowerShell script file “init.ps1”, it includes a few links to cloudflare-ipfs[.]com for further attack and each file has its own backup link to crustwebsites[.]net.
Figure 10 Download links in init.ps1
There are 7 files for initialization:
- phpupdate.exe: Xmrig Monero mining software
- config.json: Configuration file for mining pools
- networkmanager.exe: Executable used to scan and spread infection
- phpguard.exe: Executable used for guardian Xmrig miner to keep running
- init.ps1: Script file itself to sustain persistance via creating scheduled task
- clean.bat: Script file to remove other cryptominers on the compromised host
- encrypt.exe: RAR1 ransomware
Figure 11 "start encrypt" section in init.ps1
In the “start encrypt” section shown in Figure 11, it first checks “flag_encrypt.flag” before launching RAR1ransom, if the flag file existed and the “encrypt.exe” was also download before, it will delete “encrypt.exe” and go to the next stage. Otherwise, it checks the file size to determine if the file path should be updated or not. Finally, it executes the ransomware after checking process. The detail of RAR1 ransomware will be elaborated in the next section.
Then, the script starts the GuardMiner attack. GuardMiner is a cross-platform mining Trojan, which has been active since 2020. And FortiGuard Labs has a detailed report covering it. In this version, it also drops the script file “init.sh” for Linux system.
Figure 12 “init.sh” for Linux
We also noticed that GuardMiner updates “networkmanager.exe” with the more recently vulnerability. From the name of each exploit module, it might collect the exploit list from Chaitin Tech Github which is for security testing purposes.
Figure 13 rdata section contains vulnerability list in networkmanager.exe
We extract the complete vulnerability list below:
eyou-email-system-rce | maccms-rce |
thinkphp5-controller-rce | seacms-rce |
terramaster-tos-rce-cve-2020-28188 | spon-ip-intercom-ping-rce |
thinkphp5023-method-rce | yonyou-grp-u8-sqli-to-rce |
yccms-rce | gitlist-rce-cve-2018-1000533 |
phpunit-cve-2017-9841-rce | pandorafms-cve-2019-20224-rce |
yonyou-nc-bsh-servlet-bshservlet-rce | CVE-2022-22947-spring-clond-Gateway-RCE |
CVE-2022-22954-VMware-RCE | amtt-hiboss-server-ping-rce |
inspur-tscev4-cve-2020-21224-rce | dlink-dsl-2888a-rce |
phpstudy-backdoor-rce | Confluence-CVE-2022-26134 |
seacms-before-v992-rce | apache-flink-upload-rce |
dedecms-cve-2018-7700-rce | solr-velocity-template-rce |
webmin-cve-2019-15107-rce | jumpserver-unauth-rce |
Hotel-Internet-Manage-RCE | drupal-cve-2018-7600-rce |
seacms-v654-rce | S2-045-rce |
tamronos-iptv-rce | ecshop-rce |
satellian-cve-2020-7980-rce | opentsdb-cve-2020-35476-rce |
zeroshell-cve-2019-12725-rce | struts2-062-cve-2021-31805-rce |
dlink-cve-2019-16920-rce | h3c-imc-rce |
RAR1Ransom
RAR1ransom drops “rar.exe” in C:/Windows/Temp folder which is legitimate WinRaR software to compress a victim’s files with a password. It uses several default options in WinRaR to complete the encryption for efficiency, we can locate these processes from Process Explorer in Figure 14.
Figure 14 Processes while RAR1Ransom encrypted files
The whole command is below, options “df” and “m0” mean delete files after adding files to archive without compression, “mt10” means it will use ten threads, and “ep” means exclude path from name. The “hp” is to encrypt both file data and headers with password.
C:/Windows/Temp/rar.exe a -df -m0 -mt10 -ep -hpVbDsLHSfbomQiQ6YuP7m1ZaNP0LQqYpzrkjwvuNSjsnQlicOxNPi0iKzKeQO1Besbpbx1iKWNeOfFQDEw8qaoAGmN1Nx9i0vbUcr "C:/Python27/Lib/json/MVXGG33EMVZC44DZ.rar1" "C:/Python27/Lib/json/MVXGG33EMVZC44DZ"
RAR1Ransom targets a compromised victim’s file with particular extensions as in Figure 15.
Figure 15 Target file extension
All the encrypted files will have an unique filename and “.rar1” extension, and it drops a text file “READ_TO_DECRYPT.txt” in the same folder with message in Figure 17.
Figure 16 Encrypted files
Figure 17 Ransom note
From the wallet string in the ransom note, which is identical with the one in the miner’s configuration shown in Figure 17. We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency.
Figure 18 Configuration”config.json” for GuardMiner
Conclusion
Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it. Users should always keep systems updated and patched and be aware of any suspicious process in environment. These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving. FortiGuard Labs will continue to monitor and provide the latest updates.
Fortinet Protections
Fortinet released IPS signature VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution for CVE-2022-22954 to proactively protect our customers. The signature is officially released in IPS definition version 20.297.
The scripts and malwares are detected and blocked by FortiGuard Antivirus, and FortiEDR services:
Adware/Miner W32/PossibleThreat Riskware/Agent BASH/CoinMiner.RZ!tr PowerShell/CoinMiner.BW!tr ELF/GuardMiner.A!tr W64/GuardMiner.A!tr BAT/Cleaner.CC41!tr
IOCs
SHA256:
66db83136c463441ea56fb1b5901c505bcd1ed52a73e23d7298f7055db2108d1 4761e5d9bd3ebe647fbd7840b7d2d9c1334bde63d5f6b05a4ed89af7aa3a6eab 9c00823295f393358762542418bb767b44cfe285c4ab33e7e57902c6e1c2dacb 23270d23f8485e3060f6ea8c9879177781098b1ed1b5117579d2f4d309aeffd2 4b3578ee9e81f356a89ff2e1aff6bbee8441472869b0c6c4792fc9fd486a0df5 0212b447c25e9db55f7270e1e2a45846e2261445474845997a314cb1ddeea4f7 a372e07a691f8759e482615fd7624bfca2a2bc2cd8652a47ff9951ff035759a5 f2a6827ea5f60cefc2f6528269b2d1557a7cc1e68f84edca4029e819dd0509cb 4b4c0d3cb708612b1fdb0394e029e507e4c0f6136fc44e415200694624ed5b68 7fc7c242ad1fa439e515725561a9e304b3d94e40ba91f61df77471a4c2ff2b39