Ransomware gangs using Log4Shell to attack VMware instances

Ransomware actors are exploiting the well-known Log4Shell vulnerability to take over systems running VMware Horizon.

Researchers at Trend Micro observed active attacks in the wild that prey on the logging vulnerability to conduct ransomware attacks. The infections were attributed to members of the LockBit ransomware group and were connected to both data ransom and extortion attempts threatening data disclosure.

According to Trend Micro, the hackers first abused the Log4Shell vulnerability to obtain command line access in VMware Horizon over Microsoft's PowerShell tool. From that PowerShell connection, the actual malware is obtained in the form of malicious DLLs and executables.

DLL sideloading attacks can be particularly difficult to spot because they rely on malicious libraries that run in memory and can often go unchecked by security tools.

The Trend Micro researchers found that the malicious DLLs were checking for the presence of debuggers and Microsoft's default security tools before proceeding with additional malware downloads and installations and uploading of data to several Dropbox locations.

From there, the attackers looked to keep their access to the infected machines by covertly installing a proxy tool known as node.exe in order to give remote shell access even when the compromised PC has supposedly been purged of malware.

The researchers noted that the victim would not have been notified of the ransomware infection until 10 days after the initial intrusion.

"In the cases we analyzed, there were different files used to sideload malicious DLLs. The file mfeann.exe is an executable responsible for event creation and logging," explained Trend Micro cyber threat intelligence researcher Mohamed Fahmy.

"It is a legitimate executable, signed by a known security company, but we found that threat actors misused it to sideload a malicious DLL named LockDown.DLL"

Fahmy noted that Trend Micro was not the first to spot these attacks. The team at SentinelOne first noticed that the LockBit crew was abusing the Log4Shell flaw within VMware systems in an effort to spread its malware.

Sentinel One researchers James Haughom, Júlio Dantas and Jim Walter reported in April that they found the vmwareXferlogs executable was able to be commanded to load the malicious DLL files that let the LockBit hackers launch Cobalt Strike remote hijacking tools and then upload their ransomware.

"In this instance, the threat actor used PowerShell to download the VMware xfer logs utility along with a malicious DLL, and a .log file containing an encrypted Cobalt Strike Reflective Loader," the SentinelOne team explained. "The VMware utility was then executed via cmd.exe, passing control flow to the malicious DLL."

First discovered and disclosed late last year, the Log4Shell bug (CVE-2021-44228) is a vulnerability in the Log4J Java framework that allows commands to be entered into applications via routine log entries.

While the flaw has since been patched by most vendors, the long tail of Log4Shell use means that many applications are vulnerable without the knowledge of their developers, creating a supply chain threat.

Fahmy noted in the blog post that Trend Micro has observed several cases of sideloading attacks on VMware Horizon, though it's unclear how widespread the activity is. VMware did not respond to a request for comment from SearchSecurity.