An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.
According to new research published by BlackBerry Research & Intelligence and Incident Response (IR) teams today, the cybercrime actor has been opportunistically weaponizing the shortcoming to download a second-stage payload onto the victimized systems.
The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. National Health Service (NHS) that sounded the alarm on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks.
Log4Shell is a moniker used to refer to an exploit affecting the popular Apache Log4j library that results in remote code execution by logging a specially crafted string. Since public disclosure of the flaw last month, threat actors have been quick to operationalize this new attack vector for a variety of intrusion campaigns to gain full control of affected servers.
BlackBerry said it observed instances of exploitation mirroring tactics, techniques, and procedures (TTPs) previously attributed to the Prophet Spider eCrime cartel, including the use of “C:\Windows\Temp\7fde\” folder path to store malicious files and “wget.bin” executable to fetch additional binaries as well as overlaps in infrastructure used by the group.
images from Hacker News