DarkSide Created a Linux Version of Its RansomwareAT&T's Alien Labs: Malware Designed to Target Servers Hosting VMware Virtual Machines
The DarkSide Russian-speaking cybercrime group, which announced May 13 it was closing its ransomware-as-a-service operation, had earlier completed a Linux version of its malware designed to target ESXi servers hosting VMware virtual machines, according to AT&T’s Alien Labs.
The crime operation announced a DarkSide 2.0 version with Linux capabilities on March 9, 2021, in the XSS Russian cybercrime forum, the security firm reports. The original version of the ransomware targeted Windows devices.
The researchers do not report that any group is now using the Linux malware.
"Linux and Unix servers have always been a preferred option for servers and data centers, likely due to the small attack surface of the servers, tight configurations, and lack of user interaction," says Ofer Caspi, security researcher at AT&T's Alien Labs. "However, they are often set up and then forgotten, left without detection or protection mechanisms."
By infecting unprotected virtualization servers, attackers can perform devastating attacks on companies and can take down all the services of a company with a single infection, the researchers say.
The DarkSide gang announced on May 13 that it was shutting down its ransomware-as-a-service operation after its attack on the Colonial Pipeline Co., which led to the temporary shutdown of the company's pipeline serving much of the U.S. East Coast (see: DarkSide Ransomware Gang Says It Has Shut Down).
“The [Linux] malware is quite informative and prints to the screen most of the actions it performs, which is an uncommon behavior for malware. This could imply that the malware is being deployed manually," Caspi notes.
The Linux version of the malware is written in C++ and uses several open-source libraries that were imported and compiled with the malware code into one binary, Caspi says.
The use of these libraries enables the final binary to be a 2.7MB file size, he says. The malware uses "libcurl functions that were compiled with the rest of the code" for communication between an infected machine and a command-and-control server. "In addition, the malware supports command line parameters during execution to replace almost, if not all, of the default configuration variables," Caspi says.
The Linux malware supports shutting down entire virtual machines by executing the esxcli commands, a special console on ESXi servers that allows them to interact with virtual machines from the command line, the researcher says.
Upon execution, the malware prints its configuration to the terminal and includes the root path to encrypt, RSA key information, targeted file extensions to encrypt and C2 addresses. The C2 addresses are encrypted using a rotated XOR key, which is decrypted when the malware is executed.
"The malware then counts the files to be encrypted, and it collects information from the infected machine, sending it to the C2 server after encryption. The exfiltrated information includes user name, OS version, hostname, and build," the AT&T report notes. "The malware will loop through the files to be encrypted and then encrypt them using ChaCha20 with the RSA 4096 key taken from the configuration. After encryption, the malware will add a tail at the end of the encrypted file that includes a constant and the cipher."
Once the encryption is done, the malware creates a ransom note in each folder where files were encrypted.