RansomExx newer variants adapted to Attack Linux servers

RansomExx is a ransomware variant responsible for several high-profile attacks in 2020 and has revealed signs of further development and unhampered activity.

It includes the use of trojanized software to deliver malicious payloads and an overall short and fastest attack. The most recently reported development involves the use of newer variants adapted for Linux servers that effectively expanded its range to more than Windows servers.

In the United States, Canada, and Brazil RansomExx malware was found through its monitoring efforts.

RansomExx used to be operated by a threat group, which SecureWorks named GOLD DUPONT, that has been active since 2018”.

Malware like Vatet loader, PyXie, Trickbot, and RansomExx, as well as some post-intrusion tools like Cobalt Strike, are typically part of this threat group’s arsenal.

The Investigation

The experts initially identified the malware as a phishing email with an attached password-protected ZIP file, which is a Word document (detected as Trojan.W97M.SHATHAK.A) with a malicious macro.

It displays a message that enticed users into enabling macro content (as shown in the image below).

                        Malicious Word Document Content

After letting the macro inside the document, it will attempt to download the IcedID trojan (detected as TrojanSpy.Win32.ICEDID.BP) from a malicious URL. If the download succeeds, the trojan is executed using regsvr32.exe.

In this case, it used steganography as a method to deliver the payload through a .png file downloaded from a malicious URL.

The file is decrypted, and the payload is injected into memory. For persistence, IcedID creates a scheduled task to run hourly, in which it again uses regsvr32.exe to run its malicious DLL.

Malicious scheduled task initializing

Now, msiexec.exe is used to inject and deploy the final IcedID payload. With the final payload, the attacker will be able to load and execute the Cobalt Strike payload, allowing it to communicate with the command and control (C&C) server.

Telemetry data of the point-of-entry machine connecting to the C&C Server

After establishing a connection to the malicious server, the threat actor will start to gather machine information and move laterally.

Linux variant of RansomExx to compromise Linux servers

Experts observed that a new Linux variant of RansomEXX aiming for the VMware environment, particularly machines that serve as storage for the VMware files.

The experts analysed three variants of RansomExx for Linux using Trend Micro Telfhash, and all three samples shared the same behavior. The sample is multi-thread and goes straight to encryption. It has no network activities, no anti-analysis techniques, or other activities outside its main agenda.

Security Recommendations

  • Users must download files only from trusted and legitimate sources to prevent the entry of malicious files into their system.
  • Users should avoid enabling macros, and should be cautious of documents that prompt them to do so.

Hence, more robust security measures can prevent ransomware and other threats from having a strong impact on systems.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Also Read

Ransomware Operators Using SystemBC Backdoor with Tor proxy & RAT Futures to Attack New Targets

Ryuk Ransomware Operators Uses Pentester Toolkits for Targeted Cybercrime Operations

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.