New Core Impact Backdoor Delivered Via VMWare Vulnerability

Morphisec is a world leader in preventing evasive polymorphic threats launched from zero-day exploits. On April 14 and 15, Morphisec identified exploitation attempts for a week-old VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability. BleepingComputer reports similar attempts have been seen in the wild. Due to indicators of a sophisticated Core Impact backdoor, Morphisec believes advanced persistent threat (APT) groups are behind these VMWare identity manager attack events. The tactics, techniques, and procedures used in the attack are common among groups such as the Iranian linked Rocket Kitten. 

VMWare is a $30 billion cloud computing and virtualization platform used by 500,000 organizations worldwide. A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. This means highest privileged access into any components of the virtualized host and guest environment. Affected firms face significant security breaches, ransom, brand damage, and lawsuits. 

This new vulnerability is a server-side template injection that affects an Apache Tomcat component, and as a result, the malicious command is executed on the hosting server. As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application. A malicious actor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access management. Workspace ONE Access provides multi-factor authentication, conditional access, and single sign-on to SaaS, web, and native mobile apps. 

This attack turned around remarkably fast: 

• A patch for the initial vulnerability was released on April 6 
• On April 11 a proof of concept for the attack appeared 
• On April 13 exploits were identified in the wild

Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). 

Morphisec Labs has analyzed this new attack in detail below. 

Morphisec console attack details

Technical Analysis

Full attack chain

The attacker gains initial access to an environment by exploiting a VMWare Identity Manager Service vulnerability. The attacker can then deploy a PowerShell stager that downloads the next stage, which Morphisec Labs identified as the PowerTrash Loader. Finally, an advanced penetration testing framework—Core Impact—is injected into memory.

VMWare Identity Manager Vulnerabilities

The Morphisec blog post Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk showed how attackers previously exploited VMWare’s Horizon Tomcat service. Unfortunately, malice never sleeps. Threat actors are now exploiting another VMWare component, the VMWare Identity Manager service. 

Several vulnerabilities have recently been reported for this service: 

While CVE-2022-22957 and CVE-2022-22958 are RCE vulnerabilities, they require administrative access to the server. CVE-2022-22954 however, doesn’t, and already has an open-source proof of concept in the wild.

Powershell Stager

The attacker exploited the service and ran the following PowerShell command:

Stager encoded in base64 

Which translates to:

Decoded stager

As you can see at the end, this is an encoded command where each character is subtracted by one. When doing so we get the URL from which the next stage is downloaded:

Decoded #2 stager

PowerTrash Loader

The PowerTrash Loader is a highly obfuscated PowerShell script with approximately 40,000 lines of code.

Snippet from the PowerTrash Loader

This loader decompresses the deflated payload and reflectively loads it in memory, without leaving forensic evidence on the disk. We’ve previously seen the PowerTrash Loader leading to  JSSLoader. 

This time the final payload was different—a Core Impact Agent.

Core Impact Agent

Core Impact is a penetration testing framework developed by Core Security. As with other penetration testing frameworks, these aren’t always used with good intentions. TrendMicro reported a modified version of Core Impact was used in the Woolen-GoldFish campaign tied to the Rocket Kitten APT35 group.

We can extract the C2 address, client version, and communication encryption key located in an embedded string:

C2 Server: 185.117.90[.]187 

Client Version: 7F F7 FF 83 (HEX)

256-Bit Key: cd19dbaa04ea4b61ace6f8cdfe72dc99a6f807bcda39ceab2fefd1771d44ad288b76bc20eaf9ee26c9a175bb055f0f2eb800ae6010ddd7b509e061651ab5e883d491244f8c04cbc645717043c74722bee317754ea1df13e446ca9b1728f1389785daecf915ce27f6806c7bfa2b5764e88e2957d2e9fcfd79597b3421ea4b5e6f (ASCII)

Additional Threat Relations

A reverse look-up on the Stager server leads to a new web hosting server named ‘Stark Industries’ registered in London.

Stager server IP reverse lookup result

The company was registered on February 2022 and is linked to a certain person.

There is a dedicated profile page for him on hucksters.net which exposes spammers, fraudsters, and other bad actors.

Such person is infamous for owning web hosting companies used for malicious and illegal activities. Among them is pq[.]hosting which is easily correlated to stark-industries[.]solutions.

Correlation between the web hosting companies

Indicators of Compromise

Morphisec is currently not releasing the indicators of compromise (IOCs) publicly. To request the IOCs, please email Morphisec CTO Michael Gorelik.

Protect Yourself Against This VMWare Identity Manager Attack

The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries. Anyone using VMWare’s identity access management should immediately apply the patches VMWare has released. Organizations unable to immediately apply the patch(es) should consider virtual patching. VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks.

Morphisec customers are protected against these backdoor attacks and others like it. Morphisec’s MTD technology implements a virtual patch by creating a dynamic attack surface to prevent the successful deployment of CoreImpact, Cobalt Strike and Metasploit beacons. These beacons are highly evasive and can bypass the AV, EDR, MDR, and XDR deployed on endpoints. Morphisec’s MTD technology provides early visibility and prevention of vulnerability exploitation. It enables quick containment without creating false positive alerts. 

For better risk management, organizations should adopt a preventative approach that proactively stops breaches before they infiltrate. Morphisec’s Moving Target Defense technology uses polymorphism against attackers to hide vulnerabilities from threat actors while reducing your attack surface. To learn more, read Morphisec’s white paper: Zero Trust + Moving Target Defense: Stopping Ransomware, Zero-Day, and Other Advanced Threats Where NGAV and EDR Are Failing.