FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim’s machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.A similar sample to the ones in this campaign was documented previously by Trellix.Why is this Significant?This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.What Does the Malware Do?Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a “.conti” file extension to them after the threat actor exfiltrates information from victim’s network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.It leaves a ransom note that reads:All of your files are currently encrypted by CONTI strain. If you don’t know who we are – just “Google it”.As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DONT’T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try – we recommend choosing the data of the lowest value.DON’T TRY TO IGNORE us. We’ve downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON’T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back – we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed].onion/-YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person – DON’T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calmThe malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:Linux/Filecoder_Conti.083E!tr.ransomLinux/Filecoder_Conti.0B97!tr.ransomLinux/Filecoder_Conti.14E3!tr.ransomLinux/Filecoder_Conti.3233!tr.ransomLinux/Filecoder_Conti.3691!tr.ransomLinux/Filecoder_Conti.3FA2!tr.ransomLinux/Filecoder_Conti.5DE1!tr.ransomLinux/Filecoder_Conti.638B!tr.ransomLinux/Filecoder_Conti.65AB!tr.ransomLinux/Filecoder_Conti.919D!tr.ransomLinux/Filecoder_Conti.BDC5!tr.ransomLinux/Filecoder_Conti.C2F5!tr.ransomLinux/Filecoder_Conti.C3D1!tr.ransomLinux/Filecoder_Babyk.H!trPossibleThreatFortiEDR blocks the Conti samples pre-execution.
FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modules that are downloaded from a Command and Control (C2) server. Each module has its own purpose and is responsible for downloading and executing the next module. The goal of Shikitega is to deploy XMRig cryptominer, taking control of the compromised Linux machine. Why is this Significant?This is significant because Shikitega is a new Linux malware that is designed to take a full control of a compromised machine. It uses variety of attack arsenals: “Shikata Ga Nai” (“it cannot be helped” in Japanese) polymorphic shellcode encoder to evade detection from AV products, exploits for a couple of vulnerabilities for privilege escalation, a Metasploit meterpreter called “Mettle” that enables the attacker to perform a wide range of malicious activities on the infected machine, and XMRig cryptominer for mining Monero. What is Shikitega Malware?Shikitega is a malware that is designed to run on Linux machines and consists of small modules.The Shikitega’s infection chain starts with a single dropper containing a payload obfuscated by “Shikata Ga Nai” polymorphic encoder. Once the payload is decrypted and executed, it does not only download the next module from its C2 server but also downloads another dropper module and run them. One new module is a Metasploit meterpreter called “Mettle” that allows the attacker to perform malicious activities on the infected machine such as taking a control of webcams and executing shell commands. The other module is also encoded using “Shikata Ga Nai” and is responsible for downloading another module and executing it with root privileges by exploiting two vulnerabilities (CVE-2021-4034 and CVE-2021-3493). The next module is XMrig, which is a legitimate but oft-abused cryptominer for Monero cryptocurrency. What Vulnerabilities does Shikitega Exploit?Shikitega exploits CVE-2021-4034 and CVE-2021-3493 for privilege escalation. CVE-2021-4034 is a vulnerability in the polkit packages that provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.8 and is included in CISA’s Known Exploited Vulnerabilities Catalog.CVE-2021-3493 is a flaw in the Linux kernel which the overlayfs stacking file system did not properly validate the application of file system capabilities with respect to user namespaces. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.4.Are Patches Available for CVE-2021-4034 and CVE-2021-3493?Yes, both vulnerabilities have been fixed.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples:PossibleThreatLinux/CVE_2021_3493.A!trLinux/CVE_2021_4034.G!trFortiGuard Labs is currently investigating additional coverage for CVE-2021-4034 and CVE-2021-3493. This Threat Signal will be updated when update becomes available.
The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.0.0 allows remote attackers to cause a denial of service (delays of legitimate traffic) via crafted packet data that requires excessive evaluation time within the packet classification algorithm for the MegaFlow cache, aka a Tuple Space Explosion (TSE) attack.