Saturday, April 13, 2024

Hackers Exploit Critical VMware Flaw to Drop Ransomware & Miners

Researchers at FortiGuard Labs noticed multiple malware campaigns targeting the VMware vulnerability to deploy cryptocurrency miners and ransomware on affected machines.

The critical vulnerability is tracked as CVE-2022-22954 (CVSS score: 9.8), a remote code execution vulnerability that causes server-side template injection. VMware patched this vulnerability, yet came under active exploitation in the wild.

An attacker can trigger the vulnerability to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.

“Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc”, Fortinet FortiGuard Labs.

“They had the intention of deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRAR to deploy encryption and GuardMiner that is a variant of xmrig used to “mine” Monero”.

Figure 1 CVE-2022-22954 Activity
CVE-2022-22954 Activity

Researchers say this variant’s work is to deploy DoS and launch a brute force attack like most Mirai botnets.

RAR1Ransom and GuardMiner Attack

Reports say the distribution of RAR1Ransom and GuardMiner is achieved by means of a PowerShell or a shell script depending on the operating system. 

RAR1ransom is prominent for leveraging the legitimate WinRAR utility to lock files in password-protected archives.

The PowerShell script downloads the following files from a Cloudflare IPFS gateway:

  • phpupdate.exe: Xmrig Monero mining software
  • config.json: Configuration file for mining pools
  • networkmanager.exe: Executable used to scan and spread infection
  • phpguard.exe: Executable used for guardian Xmrig miner to keep running
  • clean.bat: Script file to remove other cryptominers on the compromised host
  • encrypt.exe: RAR1 ransomware

RAR1Ransom is a ransomware tool that abuses WinRAR to compress the victim’s files and lock them with a password. GuardMiner is a cross-platform mining Trojan, which has been active since 2020.

Abuse of rar.exe to lock down files
Abuse of ‘rar.exe’ to lock down files

RAR1Ransom targets a compromised victim’s file with particular extensions.

Figure 15 Target file extension
Target file extension
Figure 17 Ransom note
Ransom Note

“We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency”, Fortinet FortiGuard Labs

Therefore, users are advised to keep their systems updated and patched and be aware of any suspicious processes in the environment. 

“These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving”, concludes the report.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles