The ESXiArgs ransomware campaign exploited CVE-2021-21974 via the OpenSLP service to remotely execute code on exposed ESXi servers. VMware patched the vulnerability in early 2021, while Trellix details how attackers probe the internet for unpatched systems, encrypt specific VMware-related files, and erase traces to complicate recovery.
#ESXiArgs #OpenSLP #CVE2021-21974 #BabukRansomware
#ESXiArgs #OpenSLP #CVE2021-21974 #BabukRansomware
Keypoints
- The campaign targeted end-of-general-support or significantly out-of-date ESXi products by exploiting CVE-2021-21974 via OpenSLP.
- Threat actors actively scan the internet for vulnerable ESXiArgs servers and attempt remote code execution to compromise them.
- Once compromised, the ransomware encrypts targeted files and appends a “.args” extension to the filenames.
- Targeted file types include .vmxf, .vmx, .vmdk, .vmsd, and .nvram, indicating emphasis on VMware configuration and disk data.
- Post-encryption activity includes deleting log files, removing the Python backdoor, and deleting lines from files to hinder recovery and analysis.
- Indicators of compromise include specific file hashes and names such as encrypt.sh and python.py, among others listed in the report.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Threat actors are actively scanning the internet for vulnerable ESXiArgs servers that are susceptible to this remote code execution vulnerability. “Once the exploitable machine is identified the attacker attempts to create a heap buffer overflow and execute code remotely to compromise the server.”
- [T1059.004] Unix Shell – The campaign uses shell- and script-based components observed in IoCs (e.g., encrypt.sh, hostd-probe.sh). “Files targeted by the threat actors include those with the following extensions: ‘.vmxf’, ‘.vmx’, ‘.vmdk’, ‘.vmsd’, and ‘.nvram’ extensions.”
- [T1070] Indicator Removal – The malware cleans up traces by deleting log files and removing traces of the backdoor to hinder recovery and analysis. “the malware performs clean up tasks to deleting log files, remove the Python based backdoor and delete various lines from several files to hinder recovery and analysis.”
- [T1070.004] File Deletion – Part of the cleanup activity, specifically deleting files/logs to evade forensic scrutiny. “delete various lines from several files to hinder recovery and analysis.”
Indicators of Compromise
- [Hash] ESXiArgs file hashes – 948e6d82d625ec2ebec2b2e5ee21ada8, c358fe0e8837cc577315fc38892b937d, d0d36f169f1458806053aae482af5010, df1921871117dc84e9d1faf361656a83, and 2 more hashes
- [File name] ESXiArgs file names – encrypt.sh, python.py, hostd-probe.sh, local.sh