Sunday, November 17, 2024
HomeCyber Security NewsPlay Ransomware’s Linux Variant Attacking VMware ESXi Servers

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

Published on

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual machine files and appends the “.PLAY” extension by leveraging obfuscation techniques to bypass detection and is compressed with a Windows variant in a RAR archive. 

It utilizes similar tactics as the Windows version based on the presence of common tools associated with Play ransomware on the command-and-control server, which suggests that the Play ransomware group is expanding its attacks to Linux environments and potentially increasing the impact of their operations.  

The infection chain of the Linux variant of Play ransomware includes the use of several tools.

In the initial infection stage, it verifies the environment by looking for the presence of ESXi-specific commands (vim-cmd and esxcli), and if the commands are found, the ransomware proceeds with its malicious routine.

- Advertisement - SIEM as a Service

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

First, it disables all running virtual machines to prevent data access or modification. Then, it sets a custom welcome message on the ESXi host, potentially alerting victims of the attack. 

The ransomware encrypts critical VM files, including disks, configuration files, and metadata files, rendering them inaccessible. To indicate that Play ransomware has infected them, the encrypted files have the “.PLAY” extension appended. 

The login portal of the affected ESXi server also displays the ransom note.

A ransom note is dropped in the root directory of the compromised system, and the same note is displayed on both the ESXi login portal and the console, which ensures that the victim will encounter the ransom note regardless of the method used to access the compromised ESXi system.

Analysis of the Play ransomware attack revealed a connection to Prolific Puma, a threat actor known for offering link-shortening services using domains generated by a Registered Domain Generation Algorithm (RDGA). 

The ransomware payload and other tools were hosted on a server with several IP addresses, which resolved to multiple RDGA domains registered by Porkbun, LLC, and NameCheap, Inc., further obfuscating the attacker’s identity.  

The VirusTotal result of the URL mentions Prolific Puma.

Prolific Puma registered domains that resolved to the Play ransomware IP address using their typical short and random names, and the message that appeared on these domains matched that seen in Prolific Puma’s infrastructure. 

The Coroxy backdoor used by Play ransomware has been detected, establishing a connection to the specified IP address.

The Coroxy backdoor used by Play ransomware connected to another IP address that also resolved to Prolific Puma-linked domains by connecting to an IP address that resolved to multiple domains registered by Prolific Puma. 

Further investigation by Trend Micro revealed this IP belonged to the same autonomous system (ASN) as another IP linked to Prolific Puma, indicating they share the same network provider.  

The overlap in infrastructure suggests a potential collaboration between Play ransomware and Prolific Puma, while Play ransomware may be seeking to improve its ability to bypass security measures using Prolific Puma’s services. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...