The Linux Variant of TargetCompany Ransomware targets ESXi Environments

HawkEye Cyber SOC

The TargetCompany ransomware was discovered in June 2021. Trend Micro tracks it under the name “Water Gatpanapun,” and it has a leak site known as “Mallox.” According to the reports, this year’s group activity is greatest in Taiwan, India, Thailand, and South Korea.

TargetCompany has been developing methods to get beyond security defenses used by organizations since it was discovered. One such method includes abusing totally undetectable (FUD) obfuscator packers and using a PowerShell script to get around the Antimalware Scan Interface (AMSI).

TargetCompany has a new variation that was just found by Trend Micro that is specifically designed to target Linux environments.

Technical Analysis

Since June 2021, TargetCompany has been in operation. When a file is encrypted, the filename ends in, .mallox,.exploit,.architek, or .brg.

TargetCompany wipes shadow copies from every drive and stops some processes that might be keeping important files, such as databases, open, just like other ransomware.

Virtualization environments are not being targeted by the threat actors behind TargetCompany in an effort to broaden the scope of their attacks and increase the amount of disruption and damage. By using the “uname” command, the ransomware operators have extended their capacity to determine whether a system is operating in a VMware ESXi environment.

The system is running VMware’s ESXi hypervisor if the system name matches “vmkernel.” Next, in order to encrypt files with particular extensions, the malware switches to “VM mode.”

The ransomware drops a text file called TargetInfo.txt containing victim data after it has been run. The content of the file TargetInfo.txt is subsequently forwarded to a C2 server, just like in the case of the ransomware that targets Windows systems.

Following the encryption procedure, all folders holding encrypted files will contain a ransom note file with the name “HOW TO RECOVER!!.TXT.” The encrypted filenames are appended with the “.locked” extension by the malware.

Ransomware extension (Source: Trend Micro)

Infection Chain

Trend Micro

Data uploaded to Trend Micro’s C2 server allowed its researchers to associate the sample they examined with an affiliate known as “vampire.” Experts surmise that more comprehensive ransom demands and widespread targeting of IT systems are part of ongoing broader attacks. “Vampire” might have something to do with an affiliate that was mentioned in a Sekoia report.

Vampire strings (Source: Trend Micro)

Detection

rule win_targetcompany_ransomware {

    strings:

        $sequence_0 = { ff15???????? 85c0 7475 fe85a7fdffff 80bda7fdffff0c }

            // n = 5, score = 500

            //   ff15????????         |                     

            //   85c0                 | test                eax, eax

            //   7475                 | je                  0x77

            //   fe85a7fdffff         | inc                 byte ptr [ebp – 0x259]

            //   80bda7fdffff0c       | cmp                 byte ptr [ebp – 0x259], 0xc

 

        $sequence_1 = { 53 ff15???????? ff75e8 ff15???????? ff75e0 ff15???????? 3975f0 }

            // n = 7, score = 500

            //   53                   | push                ebx

            //   ff15????????         |                     

            //   ff75e8               | push                dword ptr [ebp – 0x18]

            //   ff15????????         |                     

            //   ff75e0               | push                dword ptr [ebp – 0x20]

            //   ff15????????         |                     

            //   3975f0               | cmp                 dword ptr [ebp – 0x10], esi

 

        $sequence_2 = { eb43 b900100000 3bc1 733a 53 51 }

            // n = 6, score = 500

            //   eb43                 | jmp                 0x45

            //   b900100000           | mov                 ecx, 0x1000

            //   3bc1                 | cmp                 eax, ecx

            //   733a                 | jae                 0x3c

            //   53                   | push                ebx

            //   51                   | push                ecx

 

        $sequence_3 = { 83c424 33cd 33c0 5f e8???????? c9 c3 }

            // n = 7, score = 500

            //   83c424               | add                 esp, 0x24

            //   33cd                 | xor                 ecx, ebp

            //   33c0                 | xor                 eax, eax

            //   5f                   | pop                 edi

            //   e8????????           |                     

            //   c9                   | leave               

            //   c3                   | ret                 

 

        $sequence_4 = { 813d????????a9aaaa0a 722b 68???????? 8d4dd4 }

            // n = 4, score = 500

            //   813d????????a9aaaa0a     |     

            //   722b                 | jb                  0x2d

            //   68????????           |                     

            //   8d4dd4               | lea                 ecx, [ebp – 0x2c]

 

        $sequence_5 = { e8???????? 57 6a0c 5a 8bce 8d45e0 e8???????? }

            // n = 7, score = 500

            //   e8????????           |                     

            //   57                   | push                edi

            //   6a0c                 | push                0xc

            //   5a                   | pop                 edx

            //   8bce                 | mov                 ecx, esi

            //   8d45e0               | lea                 eax, [ebp – 0x20]

            //   e8????????           |                     

 

        $sequence_6 = { 83ec40 53 56 33f6 57 8d5dc4 }

            // n = 6, score = 500

            //   83ec40               | sub                 esp, 0x40

            //   53                   | push                ebx

            //   56                   | push                esi

            //   33f6                 | xor                 esi, esi

            //   57                   | push                edi

            //   8d5dc4               | lea                 ebx, [ebp – 0x3c]

 

        $sequence_7 = { 50 8d45b0 50 e8???????? 8d45b0 50 8d85c0feffff }

            // n = 7, score = 500

            //   50                   | push                eax

            //   8d45b0               | lea                 eax, [ebp – 0x50]

            //   50                   | push                eax

            //   e8????????           |                     

            //   8d45b0               | lea                 eax, [ebp – 0x50]

            //   50                   | push                eax

            //   8d85c0feffff         | lea                 eax, [ebp – 0x140]

 

        $sequence_8 = { bf???????? 8d75e8 e8???????? 8b1d???????? 8d75f0 }

            // n = 5, score = 500

            //   bf????????           |                     

            //   8d75e8               | lea                 esi, [ebp – 0x18]

            //   e8????????           |                     

            //   8b1d????????         |                     

            //   8d75f0               | lea                 esi, [ebp – 0x10]

 

        $sequence_9 = { 8945ec e8???????? 53 6a01 8d758c e8???????? 53 }

            // n = 7, score = 500

            //   8945ec               | mov                 dword ptr [ebp – 0x14], eax

            //   e8????????           |                     

            //   53                   | push                ebx

            //   6a01                 | push                1

            //   8d758c               | lea                 esi, [ebp – 0x74]

            //   e8????????           |                     

            //   53                   | push                ebx

 

    condition:

        7 of them and filesize < 328704

}

 

Recommendations

  • Multifactor authentication (MFA) should be enabled to stop attackers from moving laterally within a network.
  • When backing up essential files, follow the 3-2-1 rule: make three backup copies in two distinct file formats, and store one of the copies somewhere else.
  • Patching and updating systems on a regular basis is crucial to maintaining patch management techniques that can prevent hostile actors from taking advantage of any software vulnerabilities. Operating systems and apps should also be kept up to date.

MITRE ATT&CK

Tactic Technique ID
Defense Evasion File Deletion T1070.004
Discovery System Information Discovery T1082
Execution Command and Scripting Interpreter: Unix Shell T1059.004
Command and Control Ingress Tool Transfer T1105
Exfiltration Exfiltration over Alternative Protocol T1408
Exfiltration over C2 Channel T1041
Impact Data Encrypted for Impact T1486

IOCs

dffa99b9fe6e7d3e19afba38c9f7ec739581f656

2b82b463dab61cd3d7765492d7b4a529b4618e57

9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1

3642996044cd85381b19f28a9ab6763e2bab653c  

4cdee339e038f5fc32dde8432dc3630afd4df8a2  

0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098

hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x.sh

hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x

hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/post.php

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment