Threat Research

Analysis of ESXiArgs Ransomware | SECUINFRA

Securonix

ESXiArgs is a ransomware variant that targeted exposed ESXi hypervisors by exploiting CVE-2021-21974 via OpenSLP to deploy a Python-based backdoor and a web shell. The campaign encrypts virtual machine data using RSA and Sosemanuk, overwrites ransom notes on the Web Interface and MOTD, then deletes logs and artifacts to hinder investigation. #ESXiArgs #CVE-2021-21974

Keypoints

  • Automated exploitation of CVE-2021-21974 via OpenSLP on internet-facing ESXi deployments drives ESXiArgs deployment.
  • Persistence is established with a Python backdoor (vmtools.py) and a Web Shell accessible via HTTP on port 8008.
  • Ransomware components are delivered in an archive (archieve.zip) containing ransom notes, a Bash script (encrypt.sh) and an ELF binary for encryption.
  • Encryption combines RSA public-key cryptography with the symmetric Sosemanuk algorithm; the encrypt binary handles the actual data encryption.
  • Attacker actions include terminating the vmx process to encrypt VM data, overwriting the vSphere Web Interface and MOTD, and deleting log files to hinder forensics.
  • Recovery guidance is available from security groups (YoreGroup workflow) and CISA released a recovery script for affected Hypervisors.

MITRE Techniques

  • [T1595.002] Active Scanning – ‘Threat Actors behind ESXiArgs are actively scanning for vulnerable ESXi Servers.’
  • [T1190] Exploit Public-Facing Application – ‘Explotation of OpenSLP’.
  • [T1059.006] Command and Scripting Interpreter: Python – ‘Backdoor/Web Shell implemented in Python’.
  • [T1037.004] Boot or Logon Initialization Scripts – ‘Persisting the Python backdoor’.
  • [T1571] Non-Standard Port – ‘Web Shell implemented in vmtools.py’ and ‘Reverse Shell via specified port; default fallback: 427’.
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – ‘Ransomware functionality is implemented in Bash’.
  • [T1486] Data Encrypted for Impact – ‘VM data is encrypted via RSA+Sosemanuk’.
  • [T1489] Service Stop – ‘Killing the vmx process in encrypt.sh’.
  • [T1491.002] Defacement: External Defacement – ‘Defacement of the vSphere Web Interface’.
  • [T1491.001] Defacement: Internal Defacement – ‘Defacement of the SSH MOTD’.
  • [T1070.002] Indicator Removal: Clear Logs – ‘Deleting all .log files’.

Indicators of Compromise

  • [Hash] Hashes – 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66, 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459
  • [Filename] File names observed – vmtools.py, archieve.zip
  • [Port] Network ports used for C2 – 8008, 427

Read more: https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint