杭州江阴科强工业胶带有限公司

{"id":164219,"date":"2024-06-06T17:58:02","date_gmt":"2024-06-06T17:58:02","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164219"},"modified":"2024-06-06T17:58:04","modified_gmt":"2024-06-06T17:58:04","slug":"linux-version-targetcompany-ransomware","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164219\/cyber-crime\/linux-version-targetcompany-ransomware.html","title":{"rendered":"A new Linux version of TargetCompany ransomware targets VMware ESXi environments"},"content":{"rendered":"

<\/div>\n

A new Linux variant of the TargetCompany ransomware family targets\u00a0VMware ESXi environments using a custom shell script.<\/gwmw><\/gwmw><\/h2>\n\n\n\n
A new variant of the TargetCompany<\/a> ransomware group uses a custom shell script as a means of payload delivery and execution, this is the first time the technique was observed in the wild.<\/p>\n\n\n\n
The script was also used for data exfiltration, the stolen data are sent to two different servers so the ransomware actors have a backup of the information.<\/p>\n\n\n\n
The new Linux-based variant was specifically designed to target VMWare ESXi environment.<\/p>\n\n\n\n
$\"TargetCompany$ <\/a><\/figure>\n\n\n\n
TargetCompany<\/a> has been active since June 2021<\/a>, once encrypted a file it adds .mallox, .exploit, .architek, or .brg extension to the filenames of encrypted files.<\/p>\n\n\n\n
Like other ransomware, TargetCompany\u00a0removes shadow copies on all drives and kills some processes that may hold open valuable files, such as databases.<\/p>\n\n\n\n
In February 2022, Czech cybersecurity software firm Avast released a decryption tool that could allow victims of the TargetCompany\u00a0ransomware to recover their files for free under certain circumstances.<\/p>\n\n\n\n
The threat actors behind TargetCompany are not targeting also virtualization environments to expand the scope of their attacks and cause greater damage and disruption. The ransomware operators have added the capability to detect if a machine is running in a VMWare ESXi environment by executing the “uname” command.<\/gwmw><\/p>\n\n\n\n
If the system name matches \u201cvmkernel,\u201d it indicates the machine is running VMware\u2019s ESXi hypervisor. The malware then enters “VM mode” to encrypt files with specific extensions.<\/gwmw><\/p>\n\n\n\n
Once executed, the ransomware drops a text file named\u00a0TargetInfo.txt\u00a0that contains victim information. Like the Windows variant of the ransomware, the content of\u00a0the file TargetInfo.txt is then sent to a C2 server.<\/p>\n\n\n\n
Once the encryption process is completed, it drops a ransom note file named \u201cHOW TO RECOVER !!.TXT\u201d in all folders containing encrypted files. The malware appends the \u201c.locked\u201d extension to the encrypted filenames.<\/p>\n\n\n\n
“The IP address used to deliver the payload and exfiltrate a victim\u2019s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.” reads the report<\/strong><\/a> published by Trend Micro. “The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use.”<\/em><\/p>\n\n\n\n
Trend Micro linked the sample analyzed by its researchers to an affiliate named \u201cvampire,\u201d which was identified through data sent to its C2 server. The experts believe that larger campaigns with high ransom demands and extensive IT system targeting are ongoing. “Vampire” may be connected to an affiliate mentioned in a report\u00a0<\/a>published by Sekoia.<\/gwmw><\/p>\n\n\n\n
Malicious actors are continually enhancing their TTPs, as demonstrated by the emergence of TargetCompany’s new Linux variant. The lates development allows operators to broaden its range of potential victims by targeting VMware ESXi environments.<\/gwmw><\/p>\n\n\n\n
Trend Micro also published the indicators of compromise for this threat.<\/gwmw><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, ransomware)<\/strong><\/p>\n\n\n\n
<\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"
A new Linux variant of the TargetCompany ransomware family targets\u00a0VMware ESXi environments using a custom shell script. A new variant of the TargetCompany ransomware group uses a custom shell script as a means of payload delivery and execution, this is the first time the technique was observed in the wild. The script was also used […]<\/p>\n","protected":false},"author":1,"featured_media":164228,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,3,7],"tags":[88,4112,9508,9506,10918,598,30,687,841,1533,15145,11594],"class_list":["post-164219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-crime","category-malware","tag-cybercrime","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-linux","tag-malware-2","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-targetcompany-ransomware-2","tag-vmware-esxi"],"yoast_head":"\n杭州江阴科强工业胶带有限公司