Credit: Dreamstime
A novel Linux version of the IceFire ransomware that exploits a vulnerability in IBM's Aspera Faspex file-sharing software has been identified by SentinelLabs, a research division of cybersecurity company Sentinel One.
The exploit is for CVE-2022-47986, a recently patched Aspera Faspex vulnerability.
Known up to now to target only Windows systems, the IceFire malware detected by SentinelLabs uses an iFire extension, consistent with a February report from MalwareHunterTeam — a group of independent cybersecurity researchers analyzing and tracking threats — that IceFire is shifting focus to Linux enterprise systems.
Contrary to past behavior targeting technology companies, the Linux variant of IceFire was observed attacking media and entertainment companies.
The attackers’ tactics are consistent with those of the "big-game hunting" (BGH) ransomware families, which involve double extortion, attacks against large enterprises, the use of numerous persistence mechanisms, and evasion tactics such as deleting log files, according to the SentinelLabs report. Double extortion occurs when attackers steal data as well encrypting it, and usually ask for ransom that's double the usual payment.
Characteristics of the IceFire Linux variant
The IceFire Linux version is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open source GCC (GNU compiler collection) for AMD64 system processor architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian.
The IceFire Linux version was found deployed against hosts running CentOS, an open-source Linux distribution, that ran a vulnerable version of IBM Aspera Faspex file server software.
Using this exploit, the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the ".ifire" extension, after which the payload was designed to delete itself to avoid detection.
The IceFire Linux payload is scripted to exclude encryption of certain system- critical files and paths including, files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run.
This was done so that critical parts of systems are not encrypted and remain operational.
Another new tactic observed in the IceFire Linux variant was the exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike.
IceFire Payload uses RSA encryption, Tor network
IceFire payloads are hosted on the DigitalOcean droplet, a virtual machine hosted on the DigitalOcean cloud computing platform using the IP address 159.65.217.216.
SentinelLabs recommends wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain. Wildcarding refers to the use of a wildcard character in a security policy or configuration rule to cover multiple devices.
The IceFire payload uses an RSA encryption algorithm with an RSA public key hard-coded into the binary. Additionally, the payload drops a ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption, added the report.
The IceFire ransom demand message includes a predefined username and password that must be used to access the ransom payment website, which is hosted on a Tor hidden service (websites and services are hosted on the decentralized Tor network to enable anonymous browsing).
Compared to Windows, Linux presents more challenges for ransomware, especially on a large scale — many Linux systems are servers, which are less susceptible to common infection methods like phishing or drive-by downloads. This is why attackers have resorted to exploiting vulnerabilities in applications, as evident by the IceFire ransomware group, which used the IBM Aspera vulnerability to deploy their payloads.
