A new Linux version of the IceFire ransomware was deployed in February and attacked the enterprise networks of several media and entertainment sector organizations around the world.
According to security researchers at SentinelOne, the campaign exploited CVE-2022-47986, a deserialization vulnerability in the recently patched IBM Aspera Faspex file sharing software.
Alex Delamotte, senior threat researcher at SentinelOne, said in Thursday’s advisory:
According to security researchers, the move represents a strategic shift in aligning the IceFire group with other ransomware groups that have also evolved to target Linux systems, security researchers said. .
“Compared to Windows, Linux is more difficult to deploy ransomware, especially at scale,” Delamotte wrote. “Many Linux systems are servers. Typical infection vectors such as phishing and drive-by downloads are not very effective. To overcome this, attackers exploit vulnerabilities in applications.”
In the latest attack observed by SentinelOne, when executed, the IceFire Linux version downloaded two separate payloads that encrypted files and then removed the malware.
“IceFire ransomware does not encrypt all files on Linux. To avoid encrypting certain paths, critical parts of the system continue to operate unencrypted,” Delamotte said. explains.
“Interestingly, multiple file-sharing clients downloaded harmless encrypted files after IceFire encrypted a shared folder on a file server. I was able to download the file from the server.”
At the time of writing, IceFire reportedly affected victims in Turkey, Iran, Pakistan, and the United Arab Emirates (UAE). The Linux variant observed by SentinelOne was not detected by any of his VirusTotal engines of 61.
“This evolution of IceFire reinforces that Linux-targeting ransomware will continue to grow in popularity through 2023,” added Delamotte. “The foundations he laid in 2021, but the Linux ransomware trend he accelerated in 2022, with prominent groups such as BlackBasta, Hive, Qilin and Vice Society (aka HelloKitty) making his Linux crypto I’ve added the transformation tool to my arsenal.”
Ransomware is not the only malware that targets Linux OS. In December 2022, Trend Micro observed threat actors using the Chaos RAT to improve the efficiency of cryptocurrency mining attacks against Linux systems.
