Newly patched VMware vulnerability exploited by Iranian espionage group, Rocket Kitten

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

An Iranian cyber espionage gang known as Rocket Kitten has began delivering the Core Impact penetration testing tool on susceptible computers by exploiting a newly fixed severe vulnerability in VMware Workspace ONE Access/Identity Manager program.

Threat actors use the VMWare Identity Manager Service flaw (CVE-2022-22954) to acquire initial access to a target system, then install a PowerShell stager to download the next stage payload, nicknamed PowerTrash Loader. The PowerTrash Loader is a 40,000-line PowerShell script that has been substantially obfuscated. PowerTrash Downloader introduces the penetration testing framework Core Impact to memory at the end of the attack chain.

The MITRE ATT&CK TTPs commonly used by Rocket Kitten are:

TA0001: Initial Access       

TA0002: Execution       

TA0006: Credential Access       

TA0009: Collection       

TA0011: Command and Control

T1059 – Command and Scripting Interpreter

T1189 – Drive-by Compromise

T1555.003: Credentials from Password Stores: Credentials from Web Browsers

T1105: Ingress Tool Transfer

T1056.001: Input Capture: Keylogging

T1566.001: Phishing: Spearphishing Attachmet

T1566.003: Phishing: Spearphishing via Servicen

T1204.002: User Execution: Malicious File

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Links

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

References

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor