Ransomware
An investigation by Trend Micro threat hunters revealed that the Engage ransomware group has launched a new Linux variant specifically targeting ESXi environments. Dive into our blog post to uncover more details.
Read time: words
Overview:
- The Engage ransomware group, recognized for its dual-extortion strategy, has unveiled a Linux variation designed for ESXi environments.
- Most incidents this year have been focalized in the United States.
- This particular ransomware validates its presence in an ESXi setting before launching, successfully circumventing security protocols, as confirmed by VirusTotal.
- The Engage ransomware group seems to be leveraging the resources and networks offered by the Substantial Puma group.
Our Stealth Tracking unit discovered a Linux version of the Engage ransomware that solely encrypts files while within a VMWare ESXi setting. Initially spotted in June 2022, the Engage ransomware group gained prominence for its dual-extortion method, evasion tactics, bespoke utilities, and noteworthy impact on diverse entities in South America.
This marks the first instance of the Engage ransomware targeting ESXi environments. This progression implies a potential expansion of their assaults across the Linux landscape, resulting in a wider range of targets and more prosperous ransom negotiations.
Businesses frequently utilize VMWare ESXi environments to operate numerous virtual machines (VMs). These systems often support crucial applications and data and typically include built-in backup solutions. A compromise to these environments can cause significant disruptions to business operations.and even secure backups, further limiting the victim’s ability to restore data.
The submitted sample on VirusTotal suggests successful evasion of security detections. Our analysis revealed that the Linux variant is compressed within a RAR file along with its Windows counterpart, hosted at the URL, hxxp://108.[BLOCKED].190/FX300.rar.
This IP address contains tools utilized previously by the Play ransomware in their prior assaults — such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
Figure 4 depicts the infection process of this ransomware variation. While actual infections are not observed, the command-and-control (C&C) server hosts common tools utilized by Play ransomware in its operations. This suggests that the Linux variant may employ similar methods and procedures.
Infection Routine of the Linux Variant of Play Ransomware
Similar to its Windows version, the sample accepts command-line inputs, but their functions remain unknown.
|
Play Ransomware Windows Variant |
Description |
Play Ransomware Linux Variant |
Description |
|
-mc |
Execute regular functionality; equivalent to no command-line argument |
-p |
N/A |
|
-d <drive path> |
Encrypt a specified drive |
-f |
N/A |
|
-ip <shared resource path> <username> <password> |
Encrypt network shared resource |
-s |
N/A |
|
-p <path> |
Encrypt a specific folder/file |
-e |
N/A |
Table 1. The command-line inputs for the Windows and Linux versions of Play ransomware include instructions for encrypting drives, files, and network shared resources.
The sample executes ESXi-related commands to confirm operation within an ESXi environment before proceeding with its malicious activities. Otherwise, it self-terminates and deletes itself.
A series of shell script commands are discovered that the sample runs upon detecting an ESXi environment. One command scans and powers off all VMs found:
/bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk ‘{print $1}’); do vim-cmd vmsvc/power.off $vmid; done”
This command is responsible for setting a custom welcome message on the ESXi host:
/bin/sh -c “esxcli system welcomemsg set -m=”
After executing the ESXi-related commands sequence, the ransomware proceeds to encrypt VM files, such as VM disks, configuration, and metadata files. VM disk files, for instance, contain vital data like applications and user data.
Once the process is finished, the majority of encrypted files within the guest OS “ubuntu” (for instance) will have the extension “.PLAY” appended to them.
In addition, it will deposit a ransom notice in the root directory, which is also visible in the login interface of the ESXi application client.
Investigating the Link Between Prolific Puma and Play Ransomware
By monitoring the external actions of the suspicious IP address, it was observed that the URL used to host the ransomware payload and its utilities is connected to another malicious actor known as Prolific Puma.
Prolific Puma is recognized for creating domain names using a random destination generator algorithm (RDGA) and using them to provide a link-shortening service to other cybercriminals, who then utilize it to evade detection while spreading phishing scams, fraud, and malware.
|
SUBJECT |
SUBJECT-TYPE |
INDICATOR |
DETECTION |
DESCRIPTION |
|
108][.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ FX300.rar |
95 – Ransomware |
Hosting URL for Play Ransomware binary |
|
108 [.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ 1.dll.sa |
79 -Disease Vector |
Hosting URL for Coroxy backdoor |
|
108 [.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ 64.zip |
79 – Disease Vector |
Hosting URL for NetScan |
|
108 [.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ winrar-x64-611.exe |
Untested |
Hosting URL for WinRAR |
|
108 [.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ PsExec.exe |
Untested |
Hosting URL for PsExec |
|
108 [.]61[.]142[.]190 |
IP address |
hxxp://108 [.]61[.]142[.]190/ host1.sa |
78 – Malware Accomplice |
Hosting URL for Coroxy backdoor |
Table 2. Various tools associated with Play ransomware resolve to multiple IP addresses.
|
SUBJECT |
SUBJECT-TYPE |
INDICATOR |
INDICATOR-TYPE |
REGISTRAR |
|
108 [.]61[.]142[.]190 |
IP address |
ztqs[.]info |
Domain (RDGA) |
Porkbun, LLC |
|
108 [.]61[.]142[.]190 |
IP address |
zfrb[.]info |
Area (RDGA) |
Porkbun, LLC |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
xzdw[.]info |
Area (RDGA) |
Porkbun, LLC |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
iing[.]info |
Area (RDGA) |
Porkbun, LLC |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
mcmb[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
lcmr[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
thfq[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
hibh[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
iwqe[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
ukwc[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
apkh[.]info |
Area (RDGA) |
NameCheap, Inc |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
vqbl[.]info |
Area (RDGA) |
NameSilo, LLC |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
vgkb[.]info |
Area (RDGA) |
NameSilo, LLC |
|
108 [.]61[.]142[.]190 |
Internet Protocol address |
znuc[.]info |
Area (RDGA) |
NameSilo, LLC |
Table 3. The IP addresses hosting the Play ransomware resolves to different domains.
Tables 2 and 3 present the areas, specifically DGAs, that link to the Internet Protocol address together with the Play ransomware toolkit. These areas are registered under diverse registrar names. Our study suggests that Prolific Puma usually employs three to four casual characters on their registered domain. The example registered domains by Prolific Puma in the tables match the areas that link to the Internet Protocol address associated with Play ransomware.
Moreover, the notification displayed when visiting one of the areas corresponds to the one mentioned by other security researchers.
To further authenticate the link between the two factions, the team also tested the Coroxy backdoor hosted in the same IP address. Black-box analysis reveals that the Coroxy backdoor was seen connecting to 45[.]76[.]165[.]129. This IP address also links to various areas associated with Prolific Puma.
|
SUBJECT |
SUBJECT-TYPE |
MARKER |
MARKER-TYPE |
RECORDER |
|
45[.]76[.]165[.]129 |
Location of IP |
jhrd[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
pkil[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
kwfw[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
whry[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
pxkt[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
ylvq[.]me |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.]129 |
Location of IP |
flbe[.]link |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.]129 |
Location of IP |
mmhp[.]link |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
gunq[.]link |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
ojry[.]link |
NameSilo, LLC |
Domain (RDGA) |
|
45 [.]76[.]165[.] 129 |
Location of IP |
bltr[.]me |
NameSilo, LLC |
Domain (RDGA) |
Table 4. Distinct platforms resolve to the IP address connected to the Coroxy covert access point.
The IP location to which the Coroxy covert access point links also matches varied domains that correspond to the certified domains of Prolific Puma. By closer examination of the IP location, the addition of “vultrusercontent.com” mirrors the initial IP, as depicted in Illustration 17.
Comparing the IP location that hosted Play ransomware and its utilities with another IP location connected to Prolific Puma reveals both IP locations possess the identical self-governing system number (ASN). This signifies they are part of the same network and are managed by the same network supplier.
Prolific Puma is selective in its recipient screening process, electing to interact with individuals or factions considered eligible for its services. With the established reputation of the threat actors linked to Play ransomware, they could potentially qualify to access Prolific Puma’s amenities. These discoveries hint at a probable collaboration between these cybercriminal entities. The Play ransomware collective, in turn, may be striving to enhance their capabilities in evading defensive security measures through Prolific Puma’s offerings.
Addressing ransomware assaults on ESXi settings
ESXi settings are prominent targets for ransomware assaults owing to their pivotal role in business operations. The efficacy of simultaneously encrypting multiple VMs and the crucial data they contain further heighten their attractiveness to cybercriminals. To mitigate potential threats and vulnerability to these assaults, companies should adhere to several optimal practices:
- Consistent application of patches and upgrades: Uphold the ESXi settings and connected management software with current updates to prevent known vulnerabilities.
- Virtual patching: Numerous organizations may not update their ESXi settings as regularly as required due to intricacy, concerns about downtime, absence of resources, operational priorities, or compatibility complications. Virtual patching aids by enforcing security protocols at the network level to safeguard susceptible systems, mitigating risks sans the necessity to promptly modify the underlying software.
- Remedying inherent misconfigurations: Routinely inspect and rectify misconfigurations within ESXi settings, as they can create vulnerabilities ransomware could exploit. Implementing robust configuration management practices can assure settings align with security best practices and reduce exploitation risks.
- Robust access controls: Instigate potent authentication and authorization mechanisms, like multifactor authentication (MFA), and restrict administrative access.
- Network division: Isolate crucial systems and networks to limit ransomware propagation.
- Minimize attack surfaces: Deactivateunwarranted and idle services and protocols, limit entry to crucial administrative interfaces, and impose stringent firewall regulations to reduce network exposure. VMWare offers diverse suggestions and optimal methods on securing ESXi settings.
- Regular offline backups: Maintain frequent and secure backups of all vital data. Make sure that backups are stored offline and routinely tested to confirm their integrity.
- Monitoring security and responding to incidents: Implement solutions and establish an incident response strategy to swiftly and preemptively handle questionable activities.
Trend Micro Vision One Hunting Query
The provided text presents probable valuable queries for threat hunting within Vision One:
- malName:*Linux.PLAYDE* AND eventName:MALWARE_DETECTION
Indicators of Compromise (IoC)
|
IOC |
Detection |
Description |
|
2a5e003764180eb3531443946d2f3c80ffcb2c30 |
Ransom.Linux.PLAYDE.YXEE3T |
ELF Binary |
|
hxxp://108.61.142[.]190/FX300.rar |
95 – Ransomware |
Hosting URL for Play Ransomware Binary |
|
108.61.142[.]190 |
Untested |
Observed IP address |
|
hxxp://108.61.142[.]190/1.dll.sa |
79 – Disease Vector |
Hosting URL for Coroxy Backdoor |
|
hxxp://108.61.142[.]190/64.zip |
79 – Disease Vector |
Hosting URL for NetScan |
|
hxxp://108.61.142[.]190/winrar-x64-611.exe |
Untested |
Hosting URL for WinRAR |
|
hxxp://108.61.142[.]190/PsExec.exe |
Untested |
Hosting URL for PsExec |
|
hxxp://108.61.142[.]190/host1.sa |
78 – Malware Accomplice |
Hosting URL for Coroxy Backdoor |
MITRE ATT&CK Tactics and Techniques:
|
Tactic |
Tactic |
ID |
|
Defense Evasion |
File Deletion |
T1070.004 |
|
Discovery |
Network Service Discovery |
T1046 |
|
File and Directory Discovery |
T1083 |
|
|
Execution |
Command and Scripting Interpreter: Unix Shell |
T1059.004 |
|
Lateral Movement |
Lateral Tool Transfer |
T1570 |
|
Command and Control |
Dynamic Resolution: Domain Generation Algorithms |
T1568.002 |
|
Ingress Tool Transfer |
T1105 |
|
|
Exfiltration |
Exfiltration over C&C Channel |
T1041 |
|
Impact |
Data Encrypted for Impact |
T1486 |
|
Defacement: Internal Defacement |
T1491.001 |
|
|
Service Stop |
T1489 |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
