New Linux variations of the IceFire ransomware were being deployed in February, against business networks of a number of media and amusement sector companies around the world.
According to security researchers at SentinelOne, the marketing campaign leveraged the exploitation of CVE-2022-47986, a lately patched deserialization vulnerability in IBM Aspera Faspex file-sharing computer software.
“The operators of the IceFire malware, who earlier centered only on targeting Windows, have now expanded their focus to include Linux,” wrote SentinelOne senior danger researcher Alex Delamotte in Thursday’s advisory.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The move represents a strategic change, states the security researcher, that aligns the IceFire team with other ransomware teams that have also developed to focus on Linux devices.
“In comparison to Windows, Linux is more tricky to deploy ransomware against, notably at scale,” Delamotte wrote. “Many Linux systems are servers: usual an infection vectors like phishing or drive-by down load are fewer productive. To overcome this, actors switch to exploiting software vulnerabilities.”
In the most new attacks observed by SentinelOne, on execution, the IceFire Linux variation downloaded two different payloads that encrypt data files and then delete the malware.
“IceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting particular paths so that critical pieces of the system are not encrypted and continue to be operational,” explained Delamotte.
“Interestingly, numerous file-sharing customers downloaded benign encrypted documents soon after IceFire experienced encrypted the file server’s shared folders. In spite of the attack on the server, consumers have been continue to in a position to down load data files from the encrypted server.”
At the time of producing, IceFire has reportedly impacted victims in Turkey, Iran, Pakistan and the United Arab Emirates (UAE). The Linux variants noticed by SentinelOne ended up detected by none of the 61 VirusTotal engines.
“This evolution for IceFire fortifies that ransomware focusing on Linux continues to expand in attractiveness by 2023,” Delamotte additional. “While the groundwork was laid in 2021, the Linux ransomware craze accelerated in 2022 when illustrious teams included Linux encryptors to their arsenal, together with the likes of BlackBasta, Hive, Qilin, Vice Culture (aka HelloKitty) and other folks.”
Ransomware is not the only form of malware significantly targeting the Linux OS. In December 2022, Craze Micro observed threat actors employing the Chaos RAT to strengthen the performance of cryptocurrency mining attacks versus Linux techniques.
Some pieces of this article are sourced from: