[MART] - Daily Diary #294 - Netfilter Malware Found With a Valid Microsoft Certificate

CTAS-MAT ctas-mat at appgate.com
Wed Jun 30 00:04:59 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

06/29/2021 - Diary entry #294:

Covered in several of our Daily Diaries, Sodinokibi (a.k.a REvil) is a ransomware that operates in the Ransomware-as-a-service business model. Since last year, REvil focused on stealing data before encrypting and publishing in their wall-of-shame "Happy Blog" if the ransom is not payed, in a double-extortion model.

Sodinokibi targets Windows machines, but this week a new variant compiled in ELF64 format was found. An attacker can use this new variant to silently encrypt a directory inside a Linux environment. Curiously this new sample seems to be built to attack VMware ESXi servers, as upon receiving a command it stops all virtual machines through the esxcli command-line tool (to avoid data corruption) and encrypts the files stored in /vmmfs/ directory.

This incident makes Sodinokibi an even more dangerous threat. The capability of running in other platforms not only increases the number of services that can be affected, but enables an attacker to dive more deeply into the network. Also, by targeting ESXi machines, this threat can encrypt several servers at once, increasing significantly the potential damage in those environments.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210630/abd154bc/attachment.html>


More information about the MART mailing list