Trend Micro Research recently analyzed several cases of a Log4Shell vulnerability being exploited in certain versions of the software VMware Horizon. After investigating the chain of events, we found that many of these attacks resulted in data being exfiltrated from the infected systems. However, we also found that some of the victims were infected with ransomware days after the data exfiltration.

This investigation is related to a recent report from security team Sentinel Labs, which describes a technique used by the LockBit ransomware-as-a-service (RaaS) that takes advantage of a command line utility in VMware. Their investigation showed that through this utility, VMware is susceptible to sideloading DLLs.