Trend Micro Research recently analyzed several cases of a Log4Shell vulnerability being exploited in certain versions of the software VMware Horizon. After investigating the chain of events, they found that many of these attacks resulted in data being exfiltrated from the infected systems. However, the researchers also found that some of the victims were infected with ransomware days after the data exfiltration.
This investigation is related to a recent report from security team Sentinel Labs, which describes a technique used by the LockBit ransomware-as-a-service (RaaS) that takes advantage of a command line utility in VMware. Their investigation showed that through this utility, VMware is susceptible to sideloading DLLs.
The researchers spotted similar behavior to Sentinel Labs in terms of entry points and sideloading, but the investigation, discussed in this article, focuses on techniques of exfiltration and lateral movement.
Source: Trend Micro