blog.cyble.com Open in urlscan Pro
192.0.78.213  Public Scan

URL: https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/
Submission: On February 07 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

GET https://blog.cyble.com

<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
  <div class="hfe-search-form__container" role="tablist">
    <input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
    <button id="clear-with-button" type="reset">
      <i class="fas fa-times" aria-hidden="true"></i>
    </button>
    <button class="hfe-search-submit" type="submit">
      <i class="fas fa-search" aria-hidden="true"></i>
    </button>
  </div>
</form>

GET https://blog.cyble.com

<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
  <div class="hfe-search-form__container" role="tablist">
    <input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
    <button id="clear" type="reset">
      <i class="fas fa-times clearable__clear" aria-hidden="true"></i>
    </button>
  </div>
</form>

<form id="jp-carousel-comment-form" data-hs-cf-bound="true">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

Text Content

Skip to content
Search for your darkweb exposure

 * Home
 * About Us
 * Capabilities
 * Products
   * Cyble Vision
   * AmiBreached
   * Cyble Hawk
   * The Cyber Express
 * Newsroom
   * Media & Press Releases
 * Careers

Menu
 * Home
 * About Us
 * Capabilities
 * Products
   * Cyble Vision
   * AmiBreached
   * Cyble Hawk
   * The Cyber Express
 * Newsroom
   * Media & Press Releases
 * Careers

Request Demo


MASSIVE RANSOMWARE ATTACK TARGETS VMWARE ESXI SERVERS

 * February 6, 2023




ESXI ARGS RANSOMWARE OUTBREAK AFFECTS OVER 1,000 SERVERS



On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware
ESXi servers to deploy ESXi Args Ransomware. The report also stated that the
Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as
CVE-2021-21974. According to VMware, ESXi versions 7.0 before
ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before
ESXi650-202102101-SG contain a heap overflow vulnerability in OpenSLP. TAs on
the same network as the ESXi machine, which has access to port 427, may be able
to exploit this vulnerability to execute code remotely.

The online scanner also shows that the ransomware infection is widespread and
has infected close to 1000 servers globally. This ransomware has mostly impacted
France, followed by the United States and Germany, as shown below.

Figure 1 – Statistics of Args Ransomware (Source: Shodan)

Recently, a copy of the ESXiArgs encryptor was retrieved by an admin who shared
the samples in the BleepingComputer support forums.

The samples related to this Ransomware attack, which include two files named
“encrypt.sh” and “encrypt”, responsible for encryption. The “encrypt.sh” is a
shell script that performs several operations before starting the encryption
process and executes the “encrypt” ELF executable to encrypt files.




TECHNICAL ANALYSIS:



The shell script performs various operations, such as modifying configuration
files, encrypting files, establishing persistence for ransomware notes, and
removing malware from the ESXi server. This blog provides technical insights
into the shell script and the ransomware payload.


MODIFYING THE CONFIG FILE



The Shell script first identifies the config file of the virtual machine running
in the ESXi server using the “esxcli vm process list” –commandandmodifies the
path to the virtual disk and swap files. The malware replaces the occurrence of
‘.vmdk’ with ‘1.vmdk’ and ‘.vswp’ with ‘1.vswp’.

Figure 2 – Code to modify the config file



By renaming the file names in the config files, the ransomware makes it
difficult for the victims to locate and restore the original data after
encryption. After changing the configuration file, the shell script terminates
the .VMX file in the ESXi server using the “kill -9 $(ps | grep vmx | awk
‘{print $2}’)” command.


ENCRYPTING FILES



Now, the malicious script has full control over the files to start the
encryption process. First, It iterates through the volumes present on the ESXi
server and searches for files with specific extensions, including “.vmdk”,
“.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and “.vmem” in
the encountered volume.

The script then calculates the file sizes and proceeds to encrypt them using a
Linux binary executable “encrypt” with an argument file “public.pem”. The
“public.pem” file is an RSA public key utilized by the ransomware to encrypt the
key that will be employed for encrypting files.

Figure 3 – Targets file extension for encryption




PERSISTENCE



After encrypting files, the script searches for the file named “index.html” in
the directory “/usr/lib/vmware” and replaces it with a ransom note. The original
“index.html” file is renamed to “index1.html,” and a new “index.html” file with
the ransom note is copied to its place, as shown below.

Figure 4 – Copying Ransom Note



The script also replaces the original “/etc/motd” file by renaming it to “motd1”
and then copying the ransom note from the location “$CLEAN_DIR/motd” to
“/etc/motd” effectively replacing the original file.

Replacing these files with a ransom note is a common tactic used by ransomware
to display a ransom note to users upon logging in.


CLEANUP



The script finds all .log files in the root directory and deletes them
recursively to erase all traces created by the ransomware. The script now
monitors the completion of the encryption process by checking for running
process names that contain the string “encrypt”.

It continually retrieves the count of these processes and waits for 0.1 seconds
if the count is not equal to zero. When the script identifies that there are no
running processes named “encrypt”, it recognizes that the encryption process has
finished and exits the loop.

Figure 5 – Delete logs and checks the status of ransomware infection.



After this, the script modifies and removes certain files from the victim’s
machine. Interestingly, the script deletes a file named
”/store/packages/vmtools.py,” which is similar to a Python backdoor file
documented by Juniper in December 2022.

The figure below shows the code snippet used for cleaning up.

Figure 6 – Code snippet used for cleaning up


RANSOMWARE PAYLOAD



The sample hash (SHA256),
11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66, was taken for
this analysis. Based on static analysis, we found that the malicious file is a
64-bit gcc compiled ELF binary, as shown in the below figure.

Figure 7 – Static details of Ransomware payload




USAGE:



The malware takes several arguments, including a public key and the file to be
encrypted, and has various optional parameters.

 * encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>]
   [<file_size>]enc_step   –   number of MB to skip while encryptionenc_size  
   –   number of MB in encryption blockfile_size  –   file size in bytes (for
   sparse files)

Upon execution, the ransomware carries out multiple steps for encryption of the
system files, such as:

 * init_libssl()
 * get_pk_data()
 * create_rsa_obj()
 * encrypt_file()

The ransomware initializes the libssl library and then uses the get_pk_data()
function to get public key data. This data is then processed using the
create_rsa_obj() function to form an RSA public key. The encrypt_file() function
implements the encryption of files by utilizing RSA encryption along with the
“Sosemanuk Stream Cipher” algorithm.

The encrypt_file() function further calls the “encrypt_simple()” function to
perform the encryption process. The image below shows the code snippet of the
encrypt_file()function.

Figure 8 – Code snippet of the encrypt_file() function



The figure below shows the code snippet of the encrypt_simple() function using
the Sosemanuk_encrypt() for encryption.

Figure 9 – Code snippet of encrypt_simple()



Once the files have been encrypted, the victims are displayed with a ransom
note, which instructs them to contact the attackers through their TOX_ID to
restore the encrypted files or prevent them from being leaked, as shown below.

Figure 10 – Ransom note




CONCLUSION



Threat Actors (TAs) are utilizing a previously identified vulnerability,
CVE-2021-21974, to launch ransomware attacks on VMware ESXi servers. The EXSI
Args attack involves using a shell script file “encrypt.sh” that runs an ELF
executable “encrypt,” causing file encryption. It has been reported that nearly
1,000 ESXi servers have been affected by the ESXi Args ransomware globally. 

CRIL will continue monitoring ESXi Args and update our readers on further
developments. We will also monitor any related or similar Ransomware to keep our
readers up to date on the TTPs used, our findings, and recommendations to avoid
becoming a victim.


OUR RECOMMENDATIONS



 * It is strongly recommended that users and administrators of specific versions
   of VMware ESXi products update to the latest versions as soon as possible due
   to a vulnerability that affects these versions.
 * Conducting a full system scan to identify potential security breaches is
   highly recommended. Additionally, users and administrators should evaluate if
   it is feasible to turn off port 427, which was the target of a ransomware
   attack, without affecting the system’s normal functioning.
 * Check if the file “vmtools.py” is present in the “/store/packages/” location.
   If it is found, it is recommended to delete the file immediately.
 * Conduct regular backup practices and keep those backups offline or in a
   separate network.
 * Turn on the automatic software update feature on your computer, mobile, and
   other connected devices wherever possible and pragmatic.
 * Install reputable anti-virus and Internet security software on all connected
   devices, including personal computers, laptops, and mobile phones.
 * Remove any infected devices connected to the same network and disconnect
   external storage devices if they are connected.


MITRE ATT&CK® TECHNIQUES



TacticTechnique IDTechnique NameExecutionT1204
T1059
T1064User Execution
Command and Scripting Interpreter
ScriptingPersistenceT1543Systemd ServiceDefense EvasionT1064
T1222
T1027Scripting
File and Directory Permissions Modification
Obfuscated Files or InformationDiscoveryT1082
T1083
T1518System Information Discovery
File and Directory Discovery
Security Software DiscoveryCommand and ControlT1071Application Layer Protocol


INDICATORS OF COMPROMISE (IOCS)



IndicatorsIndicator
TypeDescription10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459Sha256Encrypt.sh11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66Sha256Encrypt


REFERENCE



https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

RECENT BLOGS


MASSIVE RANSOMWARE ATTACK TARGETS VMWARE ESXI SERVERS

February 6, 2023


NEW MEDUSA BOTNET EMERGING VIA MIRAI BOTNET TARGETING LINUX USERS

February 3, 2023


NEW BATLOADER DISSEMINATES RATS AND STEALERS

February 2, 2023



PrevPreviousNew Medusa Botnet Emerging Via Mirai Botnet Targeting Linux Users


February 6, 2023

Cyble analyzes a widespread ransomware attack campaign targeting ESXi Servers,
affecting nearly 1,000 servers already.

Read More »
February 3, 2023

Cyble Analyzes Medusa botnet targeting Linux users via Mirai, performing
Bruteforce, DDoS, and Ransomware attacks.

Read More »
February 2, 2023

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat
Actors to deliver several malware families.

Read More »

About Us 


Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.

Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.

Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.  



Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.

Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.

Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.

Offices:

We’re remote-friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.

UAE:
Cyble Middle East FZE
Suite 1702, Level 17, 
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555

USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241

India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241

Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934

Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241


© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
 

Loading Comments...

 

Write a Comment...
Email Name Website

We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok

×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences