IceFire Ransomware attacks Linux with IBM Exploit

Researchers has identified the Linux version of the IceFire ransomware that exploits a vulnerability in IBM’s Aspera Faspex file-sharing software.

The exploit is for the vulnerability tracked as CVE-2022-47986, a recently patched Aspera Faspex vulnerability.

IceFire malware is generally attacks Windows OS, but the version detected here detected uses an iFire extension, which showcases that IceFire is shifting focus to Linux enterprise systems and attacking organisations in media and entertainment area.

Advertisements

The IceFire Linux version is a 2.18 MB, 64 bit ELF binary file compiled with the open source GCC for AMD64 system architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian.

The IceFire Linux version was found deployed against hosts running CentOS that installed with a vulnerable version of IBM Aspera Faspex file server software. Once exploited the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the “.ifire” extension, and then the payload delete itself to avoid detection.

The IceFire Linux payload is scripted to exclude encryption of certain system critical files and paths including, files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run.

One of the tactic observed in the IceFire Linux variant is exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike.

IceFire payloads are hosted on the VM hosted on DigitalOcean cloud,using the IP address 159.65.217.216. It is recommended wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain.