Traditionally known to target only Windows systems, the new Linux version of the IceFire ransomware exploits an IBM Aspera Faspex file-sharing vulnerability, according to SentinelLabs. Credit: Huawei A novel Linux version of the IceFire ransomware that exploits a vulnerability in IBM’s Aspera Faspex file-sharing software has been identified by SentinelLabs, a research division of cybersecurity company Sentinel One.The exploit is for CVE-2022-47986, a recently patched Aspera Faspex vulnerability.Known up to now to target only Windows systems, the IceFire malware detected by SentinelLabs uses an iFire extension, consistent with a February report from MalwareHunterTeam — a group of independent cybersecurity researchers analyzing and tracking threats — that IceFire is shifting focus to Linux enterprise systems.Contrary to past behavior targeting technology companies, the Linux variant of IceFire was observed attacking media and entertainment companies. The attackers’ tactics are consistent with those of the “big-game hunting” (BGH) ransomware families, which involve double extortion, attacks against large enterprises, the use of numerous persistence mechanisms, and evasion tactics such as deleting log files, according to the SentinelLabs report. Double extortion occurs when attackers steal data as well encrypting it, and usually ask for ransom that’s double the usual payment.Characteristics of the IceFire Linux variantThe IceFire Linux version is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open source GCC (GNU compiler collection) for AMD64 system processor architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian. The IceFire Linux version was found deployed against hosts running CentOS, an open-source Linux distribution, that ran a vulnerable version of IBM Aspera Faspex file server software.Using this exploit, the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the “.ifire” extension, after which the payload was designed to delete itself to avoid detection.The IceFire Linux payload is scripted to exclude encryption of certain system- critical files and paths including, files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run.This was done so that critical parts of systems are not encrypted and remain operational.Another new tactic observed in the IceFire Linux variant was the exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike.IceFire Payload uses RSA encryption, Tor networkIceFire payloads are hosted on the DigitalOcean droplet, a virtual machine hosted on the DigitalOcean cloud computing platform using the IP address 159.65.217.216. SentinelLabs recommends wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain. Wildcarding refers to the use of a wildcard character in a security policy or configuration rule to cover multiple devices. The IceFire payload uses an RSA encryption algorithm with an RSA public key hard-coded into the binary. Additionally, the payload drops a ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption, added the report.The IceFire ransom demand message includes a predefined username and password that must be used to access the ransom payment website, which is hosted on a Tor hidden service (websites and services are hosted on the decentralized Tor network to enable anonymous browsing).Compared to Windows, Linux presents more challenges for ransomware, especially on a large scale — many Linux systems are servers, which are less susceptible to common infection methods like phishing or drive-by downloads. This is why attackers have resorted to exploiting vulnerabilities in applications, as evident by the IceFire ransomware group, which used the IBM Aspera vulnerability to deploy their payloads. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe