IceFire Ransomware attacks Linux with IBM Exploit
Researchers has identified the Linux version of the IceFire ransomware that exploits a vulnerability in IBM’s Aspera Faspex file-sharing software.
The exploit is for the vulnerability tracked as CVE-2022-47986, a recently patched Aspera Faspex vulnerability.
IceFire malware is generally attacks Windows OS, but the version detected here detected uses an iFire extension, which showcases that IceFire is shifting focus to Linux enterprise systems and attacking organisations in media and entertainment area.
The IceFire Linux version is a 2.18 MB, 64 bit ELF binary file compiled with the open source GCC for AMD64 system architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian.
The IceFire Linux version was found deployed against hosts running CentOS that installed with a vulnerable version of IBM Aspera Faspex file server software. Once exploited the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the “.ifire” extension, and then the payload delete itself to avoid detection.
The IceFire Linux payload is scripted to exclude encryption of certain system critical files and paths including, files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run.
One of the tactic observed in the IceFire Linux variant is exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike.
IceFire payloads are hosted on the VM hosted on DigitalOcean cloud,using the IP address 126.96.36.199. It is recommended wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain.
The IceFire payload uses an RSA encryption algorithm with an RSA public key hard-coded into the binary. The ransom demand message includes a predefined username and password that must be used to access the ransom payment website, which is hosted on a Tor hidden service.
Due to the difficulties in exploiting Linux, attackers have resorted to exploiting vulnerabilities in applications, as evident by the IceFire ransomware group, which used the IBM Aspera vulnerability to deploy their payloads.
This research was documented by researchers from Sentinel One
Indicators of Compromise