LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack.html\"><br \/>\n<meta property=\"og:title\" content=\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company\"><br \/>\n<meta property=\"og:description\" content=\"Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/lv-ransomware-proxyshell-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company\"><br \/>\n<meta name=\"twitter:description\" content=\"Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/lv-ransomware-proxyshell-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.854006671321\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"625986763\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.741214057508\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.907348242812\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint<\/p>\n<p class=\"article-details__author-by\">By: Mohamed Fahmy, Sherif Magdy, Ahmed Samir <time class=\"article-details__date\">October 25, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40.144919168591\">\n<div readability=\"28.94168591224\">\n<p>The Trend Micro research team recently analyzed an infection related to the LV <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/definition\/ransomware\">ransomware<\/a> group, a <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware-as-a-service-raas\">ransomware as a service<\/a> (RaaS) operation that has been active since late 2020, and is reportedly based on <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-revil\">REvil<\/a> (aka Sodinokibi). The exact nature of the relationship between the LV ransomware and REvil groups cannot be definitively established or verified \u2014 the LV ransomware\u2019s developers do not appear to have had access to the Revil source code, and likely modified REvil binary script instead. According to previous <a href=\"https:\/\/www.secureworks.com\/research\/lv-ransomware\">research<\/a>, the group that operates REvil is said to have either sold the source code, had the source code stolen from them, or shared the source code with the LV ransomware group as part of a partnership. We believe that the threat actor that operates LV ransomware just replaced the configuration of a REvil v2.03 beta version to repurpose the REvil binary for ransomware operations.<\/p>\n<p>The group\u2019s namesake ransomware has been seeing a reemergence since second quarter of 2022, with our investigation revealing a surge in the number of breaches being undertaken by the ransomware group. Furthermore, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/semiconductor-manufacturer-semikron-hit-by-lv-ransomware-attack\/\">an alert issued by the German Federal Office for Information Security<\/a> in August 2022 reveals that the ransomware\u2019s operators were blackmailing the semiconductor company Semikron by threatening to leak allegedly stolen data.<\/p>\n<p>In this blog entry, we will provide details on a recent intrusion performed by a group affiliate that involved the compromise of the corporate environment of a Jordan-based company. In this incident, the attackers used the double-extortion technique to blackmail their victims, threatening to release allegedly stolen data in addition to encrypting the victim\u2019s files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5fd832\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-1.png\" alt=\"Figure 1. A screenshot showing a sample ransom amount demanded by malicious actors for an LV ransomware infection\"> <\/a><figcaption>Figure 1. A screenshot showing a sample ransom amount demanded by malicious actors for an LV ransomware infection<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>In December 2021, we observed a post on a cybercrime forum from a malicious actor claiming to operate the LV ransomware and seeking network access brokers. The malicious actor expressed interest in obtaining network access to Canadian, European and U.S. entities and then monetizing them by deploying the ransomware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-2a.png\" alt=\"Figure 2. A post from a malicious actor claiming to operate the LV ransomware seeking network access brokers (original language and translated versions)\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-2b.png\" alt=\"Figure 2. A post from a malicious actor claiming to operate the LV ransomware seeking network access brokers (original language and translated versions)\"><figcaption>Figure 2. A post from a malicious actor claiming to operate the LV ransomware seeking network access brokers (original language and translated versions)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Reported LV ransomware breaches have been increasing since the second quarter of 2022, which aligns with the malicious actor\u2019s efforts to expand its affiliates program. The chart shown in figure 3 illustrates this increase in activity. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-3.png\" alt=\"Figure 3. The number of incidents that are reportedly related to LV ransomware have been on the rise\"><figcaption>Figure 3. The number of incidents that are reportedly related to LV ransomware have been on the rise<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Based on data from Trend Micro\u2122 Smart Protection Network\u2122 and other internal sources, Europe was the region with the highest number of breach alerts, while the US and Saudi Arabia were the countries with the highest number of reported incidents caused by the ransomware payload. The attacks spanned multiple industry verticals \u2014 with manufacturing and technology being the most affected industries \u2014 demonstrating the group\u2019s opportunistic approach. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-4.png\" alt=\"Figure 4. The regions most affected by LV ransomware in 2022\"><figcaption>Figure 4. The regions most affected by LV ransomware in 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-5.png\" alt=\"Figure 5. The countries most affected by LV ransomware in 2022\"><figcaption>Figure 5. The countries most affected by LV ransomware in 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-6.png\" alt=\"Figure 6. The sectors most affected by LV ransomware in 2022\"><figcaption>Figure 6. The sectors most affected by LV ransomware in 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.044444444444\">\n<div readability=\"21.277777777778\">\n<p>This section details the tools, tactics, and procedures (TTPs) used by the affiliate that infiltrated one of the targeted victims\u2019 environments, as observed from an incident response viewpoint.<\/p>\n<p>The ProxyShell (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-34473\">CVE-2021-34473<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-34523\">CVE-2021-34523<\/a>, and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-31207\">CVE-2021-31207<\/a>) and ProxyLogon (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-26855\">CVE-2021-26855<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-27065\">CVE-2021-27065)<\/a> vulnerabilities have been observed to be <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/witchetty-steganography-espionage\">exploited by malicious actors to target government institutions<\/a>. Similarly, the initial access portion of this attack began on the exchange servers in the targeted environment, when a web shell file was dropped in the public access folders in early September 2022 via ProxyShell exploitation.<\/p>\n<p>The attacker then executed a persistent malicious PowerShell code that was used to download and execute another PowerShell backdoor file in the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-7.png\" alt=\"Figure 7. The persistent PowerShell code as seen from the registry key\"><figcaption>Figure 7. The persistent PowerShell code as seen from the registry key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-8.png\" alt=\"Figure 8. The malicious PowerShell code shown running on the Exchange server under the powershell.exe process\"><figcaption>Figure 8. The malicious PowerShell code shown running on the Exchange server under the powershell.exe process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The same IP address that hosted the malicious PowerShell code was also found serving a tunneling tool that we believe was used for data exfiltration.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-9.png\" alt=\"Figure 9. The IP address 185[.]82[.]219[.]201 shown hosting the Gost tunneling tool\"><figcaption>Figure 9. The IP address 185[.]82[.]219[.]201 shown hosting the Gost tunneling tool<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-proxyshell-10.png\" alt=\"Figure 10. The malicious PowerShell code that was first logged on September 6, 2022\"><figcaption>Figure 10. The malicious PowerShell code that was first logged on September 6, 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>Based on our analysis of the Internet Information Services (IIS) access logs on the infected Exchange servers, the following IP addresses were exploiting the Proxyshell vulnerability during the same timeframe as the intrusion.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">138[.]199[.]47[.]184<\/span><\/li>\n<li><span class=\"rte-red-bullet\">195[.]242[.]213[.]155<\/span><\/li>\n<li><span class=\"rte-red-bullet\">213[.]232[.]87[.]177<\/span><\/li>\n<li><span class=\"rte-red-bullet\">91[.]132[.]138[.]213<\/span><\/li>\n<li><span class=\"rte-red-bullet\">91[.]132[.]138[.]221<\/span><\/li>\n<\/ul>\n<p>For the credential access and lateral movement phases, the attackers used Mimikatz to dump credentials, while NetScan and Advanced Port Scanner were used for discovery. Based on the event logs collected from one of the infected Exchange servers, there were many successful logins using compromised user accounts a day before the ransomware infection occurred on September 8, 2022.<\/p>\n<p>Once the attacker gained access to the domain controller via remote desktop protocol (RDP) using the compromised account of the domain administrator, the ransomware samples were dropped on the server and a malicious group policy containing a malicious scheduled task was created on Sep 9, 2022 to execute ransomware from the shared folder hosted on the Domain Controller server. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"afe937\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-11.png\" alt=\"Figure 11. The malicious scheduled task "GoogleUpdateUX" from Registry hives\"> <\/a><figcaption>Figure 11. The malicious scheduled task “GoogleUpdateUX” from Registry hives<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2fdfb8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-12.png\" alt=\"Figure 12. The malicious scheduled task running the malicious batch file \u201c1.bat\u201d\"> <\/a><figcaption>Figure 12. The malicious scheduled task running the malicious batch file \u201c1.bat\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The domain controller server was used by the attackers to create a malicious group policy object (GPO) on Sep 9, 2022. The GPO then created a malicious scheduled task that ran the malicious batch files \u201c1.bat\u201d and \u201cinstall.bat\u201d to deploy the ransomware on the rest of the machines that are connected to the domain controller. The batch file \u201cinstall.bat\u201d was used to disable the security agent services found on the targeted machines.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"1be230\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-13.png\" alt=\"Figure 13. The malicious GPO XML file was found on the domain controller group policies folder.\"> <\/a><figcaption>Figure 13. The malicious GPO XML file was found on the domain controller group policies folder.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-14.png\" alt=\"Figure 14. The contents of the \u201cinstall.bat\u201d file \"><figcaption>Figure 14. The contents of the \u201cinstall.bat\u201d file <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-15.png\" alt=\"Figure 15. The contents of the \u201c1.bat\u201d file \"><figcaption>Figure 15. The contents of the \u201c1.bat\u201d file <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After deploying the ransomware, the attacker deleted the scripts folder that contained the malicious file samples.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-16.png\" alt=\"Figure 16. Master file table (MFT) record showing the deletion of the \u201cscripts\u201d folder \"><figcaption>Figure 16. Master file table (MFT) record showing the deletion of the \u201cscripts\u201d folder <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The dropped ransom note showed that the files were encrypted with the l7dm4566n extension on the specific machine we analyzed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"196382\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-17.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-17.png\" alt=\"Figure 17. A sample ransom note dropped on the infected machines\"> <\/a><figcaption>Figure 17. A sample ransom note dropped on the infected machines<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-18.png\" alt=\"Figure 18. The attack timeline\"><figcaption>Figure 18. The attack timeline<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The PowerShell command executed after the Microsoft Exchange exploitation is responsible for downloading and executing another PowerShell script from the command-and-control (C&C) server <i>185[.]82[.]219[.]201<\/i>. The downloaded PowerShell will be executed directly from memory to bypass detection. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c902fd\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-19.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-19.png\" alt=\"Figure 19. The second downloaded PowerShell backdoor\"> <\/a><figcaption>Figure 19. The second downloaded PowerShell backdoor<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.48347107438\">\n<div readability=\"16.512396694215\">\n<p>This PowerShell backdoor was observed to be related to <a href=\"https:\/\/medium.com\/walmartglobaltech\/systembc-powershell-version-68c9aad0f85c\">the SystemBC malware as a service<\/a>. The script has a hard coded C&C server IP address and port number to connect to, with data passed to the \u201cRc4_crypt\u201d function before connection.<\/p>\n<p>We found multiple variants from this backdoor on VirusTotal with different hardcoded C&C IP addresses and ports (this is included in IOCs section).<\/p>\n<p>The LV ransomware payload that we observed in the recent attacks is almost identical to the old samples that were analyzed in <a href=\"https:\/\/www.secureworks.com\/research\/lv-ransomware\">previous research last year<\/a> \u2014 there were no new capabilities added to the actual ransomware payload after unpacking. It also uses the same basic packer function used by the old samples.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b1004b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-20a.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-20a.png\" alt=\"Figure 20. The packer function in the new samples\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-20b.png\" alt=\"Figure 20. The packer function in the new samples\"><figcaption>Figure 20. The packer function in the new samples<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The packed executable stores the LV ransomware binary as an RC4-encrypted data within a section named \u201cenc.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0e8b15\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-21.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-21.png\" alt=\"Figure 21. The PE sections of the new LV ransomware samples\"> <\/a><figcaption>Figure 21. The PE sections of the new LV ransomware samples<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c43889\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-22.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-22.png\" alt=\"Figure 22. The actual payload before and after decryption\"> <\/a><figcaption>Figure 22. The actual payload before and after decryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>After unpacking the new payloads and comparing them to the old payloads from the previous research, we determined that both payloads were identical, indicating that the threat actor behind the LV ransomware did not enhance the main capabilities of their payload, but instead expanded the affiliate programs as shown in the first section. The similarity results between both samples (shown in Figure 25) indicate that both have the same capabilities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-23.png\" alt=\"Figure 23. Similarity results from bindiff comparing the old and new payloads\"><figcaption>Figure 23. Similarity results from bindiff comparing the old and new payloads<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f7abbc\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-24.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company-2\/lv-ransomware-proxyshell-24.png\" alt=\"Figure 24. Results from bindiff showing the internal functions for implementing the LV ransomware\"> <\/a><figcaption>Figure 24. Results from bindiff showing the internal functions for implementing the LV ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.180141843972\">\n<div readability=\"27.052955082742\">\n<p>By partnering with threat actors that have access to networks via the underground, the LV ransomware has been able to target multiple regions and industries. This development shows that the impact of a ransomware variant is not solely reliant on the addition of new capabilities, but also on other factors such as a greater reach and better distribution networks.<\/p>\n<p>Ransomware operators commonly employ vulnerability exploitation techniques as part of their routines. Organizations should consider allocating enough resources into regularly patching and updating their infrastructure and software, especially if it involves addressing major vulnerabilities such as ProxyShell. Furthermore, regular auditing and taking inventory of assets and data helps ensure that enterprises are up to date on what is happening within their system. Finally, implementing data protection, backup, and recovery measures ensures that data is not lost even if a successful ransomware infection occurs.<\/p>\n<p>A multilayered approach can help organizations guard all possible entry points into the system for endpoints, emails, web, and networks. Security technologies that can detect malicious components and suspicious behavior that enterprises can consider include:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One\u2122<\/a>, which provides multilayered protection and behavior detection, helping block suspicious behavior and tools before the ransomware can damage the system.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">Trend Micro Cloud One\u2122 \u2013 Workload Security<\/a>, which protects systems against both known and unknown threats that exploit vulnerabilities. Cloud One uses technologies such as virtual patching and machine learning to further protect an organization from attacks.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/email-and-collaboration\/email-inspector.html\">Trend Micro\u2122 Deep Discovery\u2122 Email Inspector<\/a>, which employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, such as phishing emails that often serve as entry points for ransomware.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a>, which offers automated threat detection and response against advanced threats such as fileless threats and ransomware.<br \/> <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\" height=\"20%\">\n<tbody readability=\"24\">\n<tr>\n<td>\n<p><b>Filename<\/b><\/p>\n<\/td>\n<td width=\"294\" valign=\"top\">\n<p><b>SHA-256<\/b><\/p>\n<\/td>\n<td width=\"216\" valign=\"top\">\n<p><b>Detection name<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"242\" valign=\"bottom\">\n<p>enc_.exe<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>fc0d749c75ccd5bd8811b98dd055f9fa287286f7<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Ransom.Win32.LVRAN.YMCIKT<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"242\" valign=\"bottom\">\n<p>enc_.exe<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>B8FF09ABEAD5BAF707B40C84CAF58A3A46F1E05A<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Ransom.Win32.LVRAN.YMCIKT<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"242\" valign=\"bottom\">\n<p>2.txt<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>2e02a6858b4e8dd8b4bb1691b87bc7d5545297bc<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\">\n<p>Trojan.BAT.LVRAN.YMCIL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"242\" valign=\"bottom\">\n<p>3.txt<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>f25c9b5f42b19898b2e3df9723bce95cf412a8ff<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\">\n<p>Trojan.BAT.LVRAN.YMCIL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"242\" valign=\"bottom\">\n<p>l7dm4566n-README.txt<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>027889533afe809b68c0955a7fc3cb8f3ae33c08<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Ransom.Win32.LVRAN.YMCIK.note<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"242\" valign=\"bottom\">\n<p>1.bat<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>3ffc87d9b429b64c09fcc26f1561993c3fb698f4<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\">\n<p>Trojan.BAT.LVRAN.YMCIL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"242\" valign=\"bottom\">\n<p>no.txt<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>1b67e4672b2734eb1f00967a0d6dd8b8acc9091e<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\">\n<p>Trojan.Win32.LVRAN.YMCIL<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"242\" valign=\"bottom\">\n<p>Shortcuts.xml<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>9cb059d2c74266b8a42017df8544ea76daae1e87<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\">\n<p>Trojan.XML.LVRAN.YMCIK<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"242\" valign=\"bottom\">\n<p>powershell code.txt<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>97822c165acd1c0fd4ff79bbad146f93f367e18c<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.Win32.FRS.VSNW0CI22<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"242\" valign=\"bottom\" readability=\"5\">\n<p>Backdoor PowerShell variant<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>9e0026572e3c839356d053cb71b8cbbbacb2627b<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.Win32.FRS.VSNW04J22<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"242\" valign=\"bottom\" readability=\"5\">\n<p>Backdoor PowerShell variant<\/p>\n<\/td>\n<td width=\"294\" valign=\"bottom\" readability=\"5\">\n<p>b7d57bfbe8aa31bf4cacb960a390e5a519ce2eed<\/p>\n<\/td>\n<td width=\"216\" valign=\"bottom\" readability=\"5\">\n<p>Trojan.Win32.FRS.VSNW04J22<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"242\" valign=\"top\" readability=\"5\">\n<p>Backdoor PowerShell variant<\/p>\n<\/td>\n<td width=\"294\" valign=\"top\" readability=\"5\">\n<p>3e4a30a16b1521f8a7d1855b4181f19f8d00b83b<\/p>\n<\/td>\n<td width=\"216\" valign=\"top\" readability=\"5\">\n<p>Backdoor.PS1.SYSTEMBC.THIBOBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"242\" valign=\"top\" readability=\"5\">\n<p>Backdoor PowerShell variant<\/p>\n<\/td>\n<td width=\"294\" valign=\"top\" readability=\"5\">\n<p>49c35b2916f664e690a5c3ef838681c8978311ca<\/p>\n<\/td>\n<td width=\"216\" valign=\"top\">\n<p>Backdoor.PS1.LVRAN.YMCIO<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\" height=\"20%\">\n<tbody>\n<tr>\n<td>\n<p><b>URL<\/b><\/p>\n<\/td>\n<td valign=\"top\">\n<p><b>WRS Rating<\/b><\/p>\n<\/td>\n<td width=\"172\" valign=\"top\">\n<p><b>URL Catergory<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p>182[.]82[.]219[.]201<\/p>\n<\/td>\n<td valign=\"bottom\">\n<p>Dangerous<\/p>\n<\/td>\n<td width=\"172\" valign=\"bottom\">\n<p>Malware Accomplice<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p>185[.]82[.]217[.]131<\/p>\n<\/td>\n<td valign=\"bottom\">\n<p>Dangerous<\/p>\n<\/td>\n<td width=\"172\" valign=\"bottom\">\n<p>Malware Accomplice<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/lv-ransomware-exploits-proxyshell-in-attack.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49010,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9508,9539,9509],"class_list":["post-49009","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/lv-ransomware-proxyshell-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company\",\"datePublished\":\"2022-10-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/\"},\"wordCount\":1932,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/\",\"name\":\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png\",\"datePublished\":\"2022-10-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png\",\"width\":1583,\"height\":798},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/","og_locale":"en_US","og_type":"article","og_title":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-10-25T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/lv-ransomware-proxyshell-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company","datePublished":"2022-10-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/"},"wordCount":1932,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/","url":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/","name":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png","datePublished":"2022-10-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company.png","width":1583,"height":798},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49009"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49009\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49010"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49009"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49009"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49009,"date":"2022-10-25T00:00:00","date_gmt":"2022-10-25T00:00:00","guid":{"rendered":"urn:uuid:afc237ce-1f63-e217-ff85-00f0cfe07a90"},"modified":"2022-10-25T00:00:00","modified_gmt":"2022-10-25T00:00:00","slug":"lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/lv-ransomware-exploits-proxyshell-in-attack-on-a-jordan-based-company\/","title":{"rendered":"LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company"},"content":{"rendered":"