A simple review on "Exposing Malware in Linux-Based Multi-Cloud Environments" document

Thanks to VMware TAU (Threat Analysis Unit) for publishing a technical report about the ransomware, cryptominers, and RAT attacks and techniques. This document focused on all recent critical threats against the Linux-based multi-cloud environment, like REvil and Defray777. 

I asked one of my technical staff (TW:alirahimi681) to review this very useful document. After his deeply reading, he summarized an easy-to-read draft about two categories of threats in this document: Ransomware and Cryptominer. Then I decided to publish this briefing on my blog for whom that may not read the whole original document. 

Ransomware families:

VMware TAU analyzed nine ransomware families and characterized their evolution. They started analyzing the different characteristics of the ransomware samples of each of these by looking at the static information extracted from their ELF files. While threats can be a combination of shell scripts, Python scripts, and binaries, this report focuses on the binaries. Binaries are usually the components that carry out the file system encryption in a ransomware attack.

REvil: Also known as Sodinokibi, originally targeted Windows hosts but released a Linux version in spring 2021. Interestingly, this threat relies on the esxcli tools to stop the current ESXi virtual machines. It then encrypts their on-disk images to prevent the recovery of running VMs. Recently, REvil actors have been targeted by a coordinated take-down operation that may impact future variants.

DarkSide: The actors behind DarkSide initially distributed REvil. Usually, they are using REvil as a service they called ransomware as a service (RaaS) operator. This ransomware has been used to target a wide variety of organizations and initially targeted Windows but quickly evolved to include Linux targets and in particular, those running on ESXi servers. These servers are usually targeted after the threat actors gain access to a VMware vCenter deployment, often by means of stolen credentials.

BlackMatter: The actors behind BlackMatter made sure to publicly announce that they were not targeting specific verticals, such as healthcare, oil and gas, government, and critical infrastructure companies possibly following the backlash that the Colonial Pipeline attack created, and the unwanted attention that the DarkSide operators received.

Defray777: Defray ransomware is another Linux-based threat that targets ESXi VMs. An interesting property of some of its samples is that it doesn’t strip or tamper with ELF binaries, which makes them easier to analyze. This ransomware family is closely related to RansomEXX to the point that sometimes the two families are considered to be variations of the same threat.

HelloKitty: The actors behind HelloKitty ransomware have achieved notoriety after successfully attacking CD Projekt Red, the makers of the Cyberpunk 2077 video game. It’s a Windows-based threat that evolved and expanded into the Linux world, targeting Linux-based systems and ESXi servers. Like other samples that target ESXi VMs, HelloKitty uses the esxcli tool to stop the VMs currently running before encrypting their files.

ViceSociety: Their malware shows substantial similarities with the HelloKitty ransomware. This ransomware family was responsible for attacking the United Health Centers in the San Joaquin Valley in California, among other targets, which resulted in the leaking of sensitive patient record

EreBus: This is a relatively older ransomware family. It initially targeted Windows hosts but evolved in 2016 to include a Linux variant. This threat is unique because of its multilingual nature. While the actors behind the ransomware have stopped their activity, it is still an interesting sample that shares some behaviors with other ransomware families.

GonnaCry: This is an open-source ransomware sample written in C and Python. While the Python version is mostly used as a way to showcase some of the behaviors associated with ransomware, the C version has actually been observed in the wild.

ECh0raix: This ransomware targets QNAP NAS storage devices with weak credentials. This family is written in the Go language, and its features are simpler than other ransomware families.

Cryptominer Families:

XMRig: Is an open-source miner available for Windows, Linux and macOS. While this miner is not a threat by itself, a variant of this component is often deployed as part of crypto-jacking attacks to perform the mining. XMRig is often used to mine the Monero cryptocurrency, which is the preferred target because it can be mined without needing specialized hardware.

Sysrv: Is a botnet written in Go with cryptomining capabilities that has been recently deployed against K8s pods running WordPress. This threat attempts to spread on the network via performing password dictionary attacks against vulnerable services and using a database of exploits against known RCE vulnerabilities.

Team TNT: This threat’s actors target open K8s / Docker environments to deploy XMRig cryptominers. To evade detection, this threat hijacks the library loading mechanism to hide specific directories in the /proc file system, which are associated with the processes running the cryptominers.

Mexalz: Mostly customized versions of XMRig that is exploiting weak credentials to compromise hosts and deploy cryptomining malware.

Omelette: Is a cryptomining worm that exploits known vulnerabilities in Exim, WebLogic, and Confluence to install modified versions of XMRig. It spreads to other systems by exploiting trust relationships.

WatchDog: Represents one of the longest-running cryptomining operations that is written in Go. The name is derived from the presence of a component that is tasked to monitor the execution of the actual cryptomining program, similar to the Linux utility “watchdog.”

Kinsing: The attack exploits Docker API endpoints that are open to the world to download and install a number of shell scripts that aid in persistence and ultimately lead to the download of a cryptomining component.