Posts

Functionality rich Android malware identified in the wild

/in /by

SonicWall Threats Research Team  received reports of an Android malware in the wild that was hosted on an active domain. This malware appears to be a Remote Access Trojan that has a number of capabilities.

 

Application Specifics

 

App Execution

Installing the application, the icon is visible without any application name:

 

The AndroidManifest.xml file can be used to identify how the application starts the execution flow. In this application the main activity is listed as – com.depart.buddy.lz. However looking at the code, this class is not visible in the list of classes:

 

This indicates that most likely a new dex file might be dropped during execution and this file will contain the class pointed as the main activity. Once executed, a file named kreaslX.json is dropped in the folder below:

 

Renaming the .json file to .zip and opening it in a disassembler shows us the missing class files:

 

The file shared preferences file settings.xml can be viewed as the configuration file for this application. A number of capabilities of this malware are listed in this file:

 

Notable capabilities include:

  • Log SMS messages on the device
  • Log applications installed on the device
  • Log contacts
  • Request for Admin privileges
  • Lock device
  • Start TeamViewer application
  • Switch the sound off
  • Kill an application
  • Keylogger functionality
  • Turn PlayProtect off

Network Investigation

The application is hosted on hxxps://www.kisa.link/PMmG. VirusTotal graph shows multiple malicious indicators connected with this domain:

 

A hardcoded admin panel IP was identified in the shared_preferences.xml fille – hxxp://helalolsundayiogli.co.vu. VirusTotal graph for this domain shows multiple apk files connected to this domain:

 

Overall this application appears to be part of a larger campaign which is being propagated via the links mentioned. The nature of this application is that of a Remote Access Trojan which is capable of accepting commands and executing the in-built functionality.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.SM

 

Indicators of Compromise:

  • bfdd4663a096b21a1d2b7c993bb0aecd
  • 2dc70002c841181ee1e832381f8429ab

 

Realtek Jungle SDK remote code execution

/in /by

Realtek currently manufactures and sells a variety of microchips globally. Realtek chipsets are found in many embedded devices in the IoT space. Realtek offers total HomeKit solutions with Ameba (RTL8711 series) and iCOM (RTL8196/8188 series) that can be easily implemented into various IoT platform designs, e.g. smart plug, smart home appliances, home security systems, and smart sensor/lighting devices.RTL8xxx SoCs provide wireless capabilities and the SDK exposes services over the network.

CVE-2021-35395
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point.There are two versions of of this management interface namely one based on Go-Ahead named webs and another based on Boa named boa. Arbitrary command execution in formSysCmd via the sysCmd parameter exists in this SDK. Successful exploitation of this vulnerability allows remote attackers to gain arbitrary code execution on the device.

The HTTP web server ‘boa’ is also vulnerable to multiple buffer overflows due to unsafe copies of some overly long parameters submitted in the form, such as

  • unsafe copy of ‘submit-url’ parameter in formRebootCheck/formWsc/formWlanMultipleAP
  • unsafe copy of ‘peerPin’ parameter in formWsc

  • unsafe copy of ‘ifname’ parameter in formWlSiteSurvey

  •  unsafe copy of ‘hostname’ parameter in formStaticDHCP


The root cause of the above vulnerabilities is insufficient validation of the  buffer size and unsafe calls to sprintf/strcpy. An attacker can exploit these vulnerabilities by crafting arguments in a specific request. Successful exploitation could lead  server crash and denial of service.
Realtek has patched these vulnerabilities.

SonicWall Capture Labs provides protection against this threat via following IPS signatures:

  • 18646:Realtek Jungle SDK Remote Code Execution 2
  • 18645 Realtek Jungle SDK Remote Code Execution 1
  • 18649 Realtek Jungle SDK HTTP Server Buffer Overflow 5
  • 18648 Realtek Jungle SDK HTTP Server Buffer Overflow 4
  • 18647 Realtek Jungle SDK HTTP Server Buffer Overflow 3
    • 18644 Realtek Jungle SDK HTTP Server Command Injection
  • 18643 Realtek Jungle SDK HTTP Server Buffer Overflow 2
  • 18642 Realtek Jungle SDK HTTP Server Buffer Overflow

Threat Graph

Ransomware asking victims to subscribe to a YouTube channel

/in /by

The SonicWall Capture Labs Threat Research team has come across a ransomware with a bizaare demand in exchange for decryption. This ransomware calls itself “Black Eye” but instead of demanding for cryptocurrency as payment, it requires the victim to subscribe to a YouTube channel and to comment on the videos on the said channel.

Infection cycle:

Upon execution, this ransomware creates a copy of itself in the following directory:

  • %AppData%\Roaming\BLACK EYE RANSOMWARE.exe

It then spawns the copy and begins encrypting the files in the victim machine. It adds 4 random characters to all encrypted files.

It also adds a text file in all the directories named “readme_it.txt” which is then opened in notepad upon successful infection.

This is a poorly written ransom note with a lot of grammatical and spelling errors.

To get their files back, victims are asked to subscribe to a YouTube channel. The owner of the said channel appears to have had an interest on ransomware ever since and has been posting videos about ransomware.

It also changes the desktop wallpaper to this photo.

And to maintain persistence, it adds a copy of the ransom note in the %Startup% directory along with the link to the “Black Eye Ransomware” executable which will both run upon system reboot.

It is unclear if the malware author has actually successfully infected victims who agreed to subscribe to his Youtube channel. But when we first analyzed this malware, that channel had 60+ subscribers and this week it has grown to 73.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Black.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for February 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability
IPS 2457:Windows Kernel Elevation of Privilege Vulnerability (CVE-2022-21989)

CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 293:Malformed-File exe.MP_234

CVE-2022-21996 Win32k Elevation of Privilege Vulnerability
ASPY 294:Malformed-File exe.MP_235

CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 295:Malformed-File exe.MP_236

CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability
ASPY 296:Malformed-File exe.MP_237

CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 297:Malformed-File exe.MP_238

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability
There are no known exploits in the wild.
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21986 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability
There are no known exploits in the wild.

EmbedThis GoAhead Web Server CGI RCE

/in /by

Overview:

  EmbedThis GoAhead is a popular compact web server intended and optimized for embedded devices. Despite its small size, the server supports HTTP/1.1, CGI handler among others.

  An unrestricted file upload vulnerability has been reported in EmbedThis GoAhead Web Server. The vulnerability is due to improper validation of user form variables passed to the file upload filter.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could lead to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-42342.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote code execution vulnerability exists in EmbedThis GoAhead. Variables supplied through the multipart/form-data content processing are added using websSetVar(), which does not prefix the variable name or set the arg value. Other areas of code use a wrapper function, addFormVars(), for this purpose. The function cgiHandler() attempts to blacklist certain variable names, but uses the strim() function with a null value for the set parameter, returning a null value and preventing any of the values included in the blacklist from matching. Without the arg value set, the variables are used as environment variables verbatim in the spawned process. This vulnerability is due to an incomplete fix for CVE-2017-17562.

  Exploitation of this vulnerability does not misuse the interface, which makes detecting illegitimate variables not possible. However, the CVE was opened for the specific exploitation path of using the LD_PRELOAD environment variable to point to a supplied shared object ELF file to run arbitrary code stored in the .init section. This can either send the data after the multipart/form-data content and use the CGI standard input file from the proc directory or the dev directory, or by uploading the file in a multipart/form-data payload and using the temporary filename. Other “LD_” prefixed environment variables may also be used to affect CGI behaviour.

  Incomplete Fix CVE-2017-17562

Triggering the Problem:

  • The target must have a vulnerable version of the product installed and running.
  • The target product must have been compiled with the ME_GOAHEAD_UPLOAD and ME_GOAHEAD_CGI flags.
  • The target path must be configured to handle CGI requests.
  • The target must support loading ELF shared objects.
  • The target loader must honor the LD_PRELOAD environment variable.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a crafted HTTP POST request to the target server. The body contains the LD_PRELOAD variable and an embedded ELF shared object. The vulnerability is triggered when the target server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 6178 EmbedThis GoAhead File Upload Filter Remote Code Execution

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering attack traffic using the signature above.
    • Compiling the software with either the ME_GOAHEAD_UPLOAD or ME_GOAHEAD_CGI flags disabled.
    • Remove all CGI binaries.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Argos 2.0 ransomware threat actor gives up decryption key

/in /by

The Sonicwall threat research team have recently seen reports of ransomware called Argos 2.0.  The ransomware works like most others, encrypting files and demanding payment in bitcoin for file recovery.  However, reverse engineering the malware is trivial and the decryption key is easily obtainable.  In addition to this, the attacker is also willing to give out the decryption key for no payment.

 

Infection Cycle:

 

Upon infection, @argosd3crypter.exe is spawned and can be seen running in the background:

 

Files on the system are encrypted.  After this, the following image is displayed on the screen:

 

The following files are dropped on to the system:

  • C:\Ransom.png (as seen above)
  • C:\@argosd3crypter.exe [Detected as: GAV: Argos.RSM (Trojan)]

 

The malware is written in C# and is trivial to decompile:

 

It has code that reports the infection to the attacker via Discord:

 

The core decryption function can be seen in the source:

 

The hardcoded decryption key can be easily seen in the decompiled code along with target directories:

 

Entering this key results in the following message:

 

We also contacted BigFrankND#4978 on Discord and were able to freely obtain the decryption key.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Argos.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Oracle MySQL Server InnoDB Memcached Vulnerability

/in /by

Overview:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.

  A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):

  %s\%s

  or

  %s/%s

  For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.

  Memcached Get Data

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The target product must have the InnoDB-memcached plugin enabled.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Memcache, over port 11211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3109 MySQL InnoDB Memcached Plugin DoS

Remediation Details:

  Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
    • Limit access to the database to allow trusted users only.
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor, Oracle, has released the following advisory regarding this vulnerability
  Vendor Advisory

Traces of an Android malware yet again lead to a Github repository

/in /by

SonicWall Threats Research team identified yet another Github repository that might have been used to create and release an Android malware in the wild, this time its AndroRAT.

Specifics for the sample that was identified in the wild:

  • MD5: f1d83d43b21478c349f2ee515aef4271
  • Application Name: Google Service Framework
  • Package Name: com.IiIiIiIi.IiIiIiIiIiIiiIIIIiIiI

 

Using this repository a malicious app can be configured with the following options:

 

We created a test app using this repository and compared the code of both the applications. The code looks identical:

The application identified was created with the following options as can be seen from the config class:

 

The application requests for a number of permissions, some of them are capable of accessing sensitive user information:

  • Receive_boot_completed
  • Wake_lock
  • Camera
  • Read_external_storage
  • Write_external_storage
  • Read_sms
  • Access_fine_location
  • Access_coarse_location
  • Read_call_log
  • Record_audio
  • System_alert_window

 

This gives a taste of the components in this malware. The  application contains a multitude of malicious functionalities and is capable of accepting commands from the attacker, some of them are listed below:

  • exit
  • camList
  • takepic
  • shell
  • getClipData
  • deviceInfo
  • help
  • clear
  • getSimDetails
  • getIP
  • vibrate
  • getSMS
  • getLocation
  • startAudio
  • stopAudio
  • startVideo
  • stopVideo
  • getCallLogs
  • getMACAddress

Commands are visible in the code as shown:

 

We configured a test AndroRAT sample to understand how this malware works further. Configuring and listening for incoming connections quickly gave a shell once the malware was executed on the infected device:

 

Commands can now be executed on the infected device:

For instance, running ‘deviceInfo’ gave us details of the infected device:

 

Overall this threat is a potent spyware and Remote Access Tool  (RAT). Though its features are limited, considerable personally identifiable information (PII) can be extracted from an infected device. The fact that this RAT is freely available on Github is a cause of concern.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androrat.PN

 

Indicators of Compromise:

  • f1d83d43b21478c349f2ee515aef4271

 

 

Grafana plugins Directory Traversal Vulnerability

/in /by

Grafana is a multi-platform, open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

Directory Traversal Vulnerability
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to directory traversal. A directory traversal attack (also known as path traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences.

CVE-2021-43798 | Grafana plugins Directory Traversal Vulnerability
Directory traversal vulnerability exists in Grafana allowing access to local files. The vulnerable URL path  . The plugin_id can be the default plugin that comes pre-installed with Grafana, for example:

  • alertlist
  • annolist
  • barchart
  • bargauge
  • candlestick
  • cloudwatch
  • dashlist
  • Elasticsearch

The vulnerability is due to insufficient sanitization of user input for plugin assets. This that allows the reading of arbitrary files from the filesystem. A remote, unauthenticated attacker can exploit this vulnerability by sending a request to a valid plugin asset directory with dot-dot sections to request arbitrary paths. Successful exploitation results in the disclosure of arbitrary file contents from the target server.

Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, leading to the disclosure sensitive information . the following exploits disclose sensitive information .

The following versions are vulnerable:

    • Grafana versions 8.0.0-beta1 through 8.3.0

Grafana has patched the vulnerability vendor advisory is available here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15728:Grafana plugins Directory Traversal

Threat Graph

Linux-based ransomware found targeting VMWare ESXi Servers

/in /by

The Sonicwall Capture Labs threat research team has come across a linux variant of a ransomware early on this week. Avoslocker is another ransomware-as-a-service (RaaS) selling their ready-made ransomware to affiliates to carry out ransomware attacks. This linux variant was specifically made to target VMWare ESXi servers that more and more companies are switching their servers on to for easier management. It is a very valuable target for cybercriminals since one ESXi server can host multiple virtual machines and therefore host many critical services for a company.

Infection Cycle:

This variant comes as an ELF executable file. Upon manually running it, the user is presented with the following use options.

Once installed, Avoslocker will run the following command to power off all running virtual machines within an ESXi host.

esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’

It appends “.avoslinux” extension to all encrypted files.

It also leaves a ransom note reminding victims to avoid shutting down their system to prevent any files being permanently damaged.

They provide a link to a website only accessible via a tor browser for further details on how to pay and retrieve encrypted files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Avoslocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.