Security Affairs 2024年06月07日
A new Linux version of TargetCompany ransomware targets VMware ESXi environments
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

A new Linux variant of the TargetCompany ransomware family targets VMware ESXi environments using a custom shell script.

A new variant of the TargetCompany ransomware group uses a custom shell script as a means of payload delivery and execution, this is the first time the technique was observed in the wild.

The script was also used for data exfiltration, the stolen data are sent to two different servers so the ransomware actors have a backup of the information.

The new Linux-based variant was specifically designed to target VMWare ESXi environment.

TargetCompany has been active since June 2021, once encrypted a file it adds .mallox, .exploit, .architek, or .brg extension to the filenames of encrypted files.

Like other ransomware, TargetCompany removes shadow copies on all drives and kills some processes that may hold open valuable files, such as databases.

In February 2022, Czech cybersecurity software firm Avast released a decryption tool that could allow victims of the TargetCompany ransomware to recover their files for free under certain circumstances.

The threat actors behind TargetCompany are not targeting also virtualization environments to expand the scope of their attacks and cause greater damage and disruption. The ransomware operators have added the capability to detect if a machine is running in a VMWare ESXi environment by executing the “uname” command.

If the system name matches “vmkernel,” it indicates the machine is running VMware’s ESXi hypervisor. The malware then enters “VM mode” to encrypt files with specific extensions.

Once executed, the ransomware drops a text file named TargetInfo.txt that contains victim information. Like the Windows variant of the ransomware, the content of the file TargetInfo.txt is then sent to a C2 server.

Once the encryption process is completed, it drops a ransom note file named “HOW TO RECOVER !!.TXT” in all folders containing encrypted files. The malware appends the “.locked” extension to the encrypted filenames.

“The IP address used to deliver the payload and exfiltrate a victim’s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.” reads the report published by Trend Micro. “The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use.”

Trend Micro linked the sample analyzed by its researchers to an affiliate named “vampire,” which was identified through data sent to its C2 server. The experts believe that larger campaigns with high ransom demands and extensive IT system targeting are ongoing. “Vampire” may be connected to an affiliate mentioned in a report published by Sekoia.

Malicious actors are continually enhancing their TTPs, as demonstrated by the emergence of TargetCompany’s new Linux variant. The lates development allows operators to broaden its range of potential victims by targeting VMware ESXi environments.

Trend Micro also published the indicators of compromise for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

相关文章