Linux/ESXiArgs.VMVS!tr.ransom
Analysis
Linux/ESXiArgs.VMVS!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/ESXiArgs.VMVS!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the ESXiArgs ransomware outbreak.
- The ransomware exploits the vulnerability found in the VMware ESXi servers. This vulnerability is a heap-overflow issue with the OpenSLP service in ESXi which can result in remote code execution.
- Upon execution, the ransomware will attempt to stop the VMX process and proceed to traverse through the system to target files with the following extensions: ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", ".vmem". It will attempt to encrypt the targeted files and create new files with the extension ".args" that contains the encrypted data before continuing on to delete log files.
- A ransom note asking for payment may be dropped. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment.
- The malware has been associated with the following third party article/advisory.
https://www.csirt.gov.it/contenuti/rilevato-lo-sfruttamento-massivo-della-cve-202121974-in-vmware-esxi-al01-230204-csirt-ita https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
- Md5: 948e6d82d625ec2ebec2b2e5ee21ada8
Sha256: 73c66de7964b86b9fe32563b7d3195b87896a644c2bcdcaea74b81cb5da2a06b - Md5: df1921871117dc84e9d1faf361656a83
Sha256: 5a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c66722 - Md5: d0d36f169f1458806053aae482af5010
Sha256: 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459
Outbreak Alert
ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability (CVE-2021-21974) and OpenSLP remote code execution vulnerability (CVE-2020-3992) are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |