Iranian Rocket Kitten Probably Behind VMware Mining

A team of Iranian cyber-spies dubbed Rocket Kitten, meanwhile, are likely behind attempts to exploit a critical remote code execution vulnerability in VMware’s identity management software, according to the terminal security company Morphisec.

Earlier this month, VMware disclosed and patched the security flaw, identified as CVE-2022-22954, in its Workspace ONE Access and Identity Manager software. In terms of CVSS severity, the bug was rated 9.8 out of 10. We note that the virtualization giant revised its advisory on the matter on April 13 to say that malefactors had exploited the vulnerability in the wild.

The bug involves server-side model injection and can be abused by anyone with network access. The exploit basically opens the way for intruders to deploy ransomware, steal data and perform any other dirty deeds.

Finding and exploiting a vulnerability in VMware’s platform is particularly appealing due to the company’s extensive reach into virtually every enterprise on the planet. According to the vendor, more than 500,000 organizations worldwide use its virtualization and cloud computing software.

VMware patched its faulty software on April 6, and the attackers weren’t far behind. A proof-of-concept exploit appeared on April 11, and two days later a malicious exploit was observed in the wild, according to Morphisec.

The Security Workshop analysis, released this week, claimed that Advanced Persistent Threat groups are behind the exploit and used the vulnerability to install HTTPS-based backdoors into victims’ networks. . They also noted that “the tactics, techniques and procedures used in the attack are common among groups such as the Iran-linked Rocket Kitten.”

Rocket Kitten, reportedly sponsored by Tehran, targets government agencies, defense contractors, academic institutions and journalists in North America, Europe and the Middle East for cyber espionage.

We are told that the VMware Server-Side Model Injection flaw affects an Apache Tomcat component and could allow Rocket Kitten, or any other malefactor, to execute malicious commands on a host server. After penetrating through this hole, the intruders used PowerShell to download and execute the next step: the PowerTrash Loader, which Morphisec says is “a very obfuscated PowerShell script with around 40,000 lines of code.”

The loader decompresses a payload and injects it into memory. The final attack payload was a Core Impact agent, which is a legitimate penetration testing tool.

However, as Morphisec and others have noted, this framework and other penetration testing frameworks, such as Cobalt Strike and Metaspoit, are used by cybercrime gangs to maintain network access, exfiltrate information, execute commands, deliver ransomware and deploy other malicious payloads. .

“As with other penetration testing frameworks, these are not always used with good intentions,” the researchers wrote, adding that Trend Micro found [PDF] “a modified version of Core Impact was used in the Woolen-GoldFish campaign linked to Rocket Kitten group APT35.”

Morphisec was able to extract the command and control server address, the client version and the communication encryption key from the code; see text above for technical details. ®

Comments are closed.