Icefire ransomware targets Linux enterprise systems
Cybersecurity researchers from SentinelLabs discovered a new variant of the Icefire ransomware, with a specific focus on Linux enterprise systems.
SentinelLabs was the first to detect the malware, which encrypts files on the infected system and demands a ransom for their release. It is identified as CVE-2022-47986 in the Common Vulnerabilities and Exposures (CVE) database. An attacker could exploit this flaw to execute arbitrary code on a vulnerable system.
Icefire ransomware is highly sophisticated, employing a variety of techniques to avoid detection by antivirus software. The malware is thought to be spread through phishing emails and drive-by downloads. The vulnerable software application is widely used, and it is vulnerable due to improper input validation. Exploiting this vulnerability successfully could result in the complete compromise of the affected system.
The IceFire malware detected by SentinelLabs uses an iFire extension, which is consistent with a February report from MalwareHunterTeam that IceFire is shifting focus to Linux enterprise systems.
The IceFire Linux version was discovered running on hosts running CentOS, an open-source Linux distribution, and running a vulnerable version of IBM Aspera Faspex file server software. Another novel tactic observed in the IceFire Linux variant was the exploitation of a vulnerability rather than traditional delivery via phishing messages or pivoting via certain post-exploitation third-party frameworks such as Empire, Metaspoilt, and Cobalt Strike.
According to the SentinelLabs report, the attackers’ tactics are consistent with those of the “big-game hunting” (BGH) ransomware families, which involve double extortion, attacks against large enterprises, the use of numerous persistence mechanisms, and evasion tactics such as deleting log files. When attackers steal data while also encrypting it, they usually demand a ransom that is double the standard payment.
The IceFire Linux version (SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973) is a 2.18 MB, 64-bit ELF binary compiled with gcc for AMD64 architecture. The sample was tested on Intel-based distributions of Ubuntu and Debian; IceFire ran successfully on both test systems. In observed intrusions, the Linux version was deployed against CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. The system downloaded two payloads using wget and saves them.
On execution, files are encrypted and renamed with the “.ifire” extension appended to the file name. IceFire then deletes itself by removing the binary. The “.iFire” extension is then appended to the file name. IceFire skipped the files with “.sh” and “.cfg” extensions.
IceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational. In one observed infection, the /srv directory was encrypted, so these exclusions can be selectively overridden.
The sources for this piece include an article in CSOOnline.