The official web site for the RVTools VMware administration device was taken offline in what seems to be a provide chain assault that distributed a trojanized installer to drop the Bumblebee malware loader on customers’ machines.
On the time of writing, the official RVTools web sites at ‘rvtools.com’ and ‘robware.internet’ at the moment are displaying a discover warning in regards to the dangers of downloading the device from different sources. The message provides no estimate as to when the obtain portals will return on-line.
“Robware.internet and RVTools.com are at present offline. We’re working expeditiously to revive service and respect your endurance,” reads the web site discover.
“Robware.internet and RVTools.com are the solely licensed and supported web sites for RVTools software program. Don’t seek for or obtain purported RVTools software program from another web sites or sources.”
Supply: BleepingComputer.com
RVTool provide chain assault
RVTools, initially developed by Robware and now owned by Dell, is a Home windows utility that gives complete stock and well being reporting for VMware vSphere environments.
RVTools is extensively thought to be a vital device for VMware directors, and VMware’s personal Digital Blocks Weblog has acknowledged it as a high utility for vSphere administration.
The provision chain assault was first found by ZeroDay Labs researcher Aidan Leon, who warned that the official RVTools installer [VirusTotal] tried to execute a malicious model.dll [VirusTotal] that was detected because the Bumblebee malware loader.
“Additional investigation revealed a mismatch between the file hash listed on the RVTools web site and the precise file being downloaded,” explains Leon.
“The downloaded model was considerably bigger and contained the malicious model.dll. Older variations of RVTools didn’t comprise this file and matched their printed hashes appropriately.”
“Roughly one hour after our VirusTotal submission, the variety of public submissions rose from 4 to 16. Round this similar time, the RVTools web site went quickly offline. When it got here again on-line, the obtain had modified: the file dimension was smaller, and the hash now matched the clear model listed on the positioning”
Bumblebee is a malware loader that’s usually promoted through website positioning poisoning, malvertising, and phishing assaults. When put in, the malware downloads and executes further payloads on contaminated gadgets, corresponding to Cobalt Strike beacons, info stealers, and ransomware.
The malware has been tied to the Conti ransomware operation, who used the malware to achieve preliminary entry to company networks. Whereas the Conti ransomware operation shut down in 2022, a lot of its members break up off into different ransomware operations, together with Black Basta, Royal, Silent Ransom, and others, who possible nonetheless have entry to the tooling.
Cybersecurity agency Arctic Wolf additionally reviews seeing trojanized RVTools installers distributed by means of malicious typosquatted domains, possible promoted by means of website positioning poisoning or malvertising.
“Arctic Wolf has lately noticed the distribution of a trojanized RVTools installer through a malicious typosquatted area,” reads the Arctic Wolf report.
“The area matches the respectable area, nonetheless, the Prime Stage Area (TLD) is modified from .com to .org. RVTools is a extensively used VMware utility for stock and configuration reporting, developed by Robware.”
Not too long ago, there have been different reviews of website positioning poisoning and malvertising campaigns focusing on the RVTools model to trick individuals into downloading malicious, trojanized installers.
In case you downloaded software program from these domains, there’s a good likelihood your system is contaminated with the Bumblebee malware and presumably further payloads.
Because the malware is utilized by menace actors to achieve a foothold on company networks, if detected, it’s essential to carry out a full investigation to find out if different gadgets had been compromised.
Don’t obtain and execute RVTools installers from unofficial sources claiming to supply a protected/clear model, until you confirm its hash.
BleepingComputer contacted Dell, the proprietor of RVTools, to be taught extra in regards to the assault and can replace this story if we obtain a response.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and tips on how to defend in opposition to them.
