AT&T Alien Labs has recently published an analyzis of the Linux version of the Darkside ransomware, which was one of the most active in the last quarter. Even though having hit Colonial Pipeline and drawn much attention, Darkside developers announced they would be closing operations, AT&T researchers found evidence that Darkside has made a Linux version of its malware.
They say, unlike other Linux ransomware encrypting files with a password, Darkside encrypts using crypto libraries. This makes it impossible to recover files without an encryption key.
Researchers say although Linux servers are regarded as more secure and reliable, if not maintained properly, attackers can easily infect them with a single infection.
“Linux and UNIX servers are often set up and then forgotten, left without detection or protection mechanisms. This makes them very attractive to attackers. By infecting unprotected virtualization servers, attackers can perform devastating attacks on companies, taking down all the services of a company with a single infection.”
Darkside is a group that operates as a service (RaaS) and has infected companies globally. But after the notorious pipeline attack, fearing much attention from law enforcement, the group decided to shut down its operations. But, according to AT&T Alien Labs, not before the gang released a Linux version of its Darkside malware, which is targeted at ESXi, servers hosting VMware virtual desktops. The threat actors announced the Darkside version 2.0 with Linux capabilities on March 9, 2021, on the XSS Forum.
Darkside Linux mostly targets ESXi servers. Its default configuration is installed in the root path of an ESX server. The behavior of the malware is unusual, researchers note, as it displays on the screen most of the actions it performs. This could mean that the malware is being operated manually.
The malware is written in C++ and it uses several open-source libraries. Some of these are: crypto++, boost, and curl. The use of these libraries allows the final binary to weigh 2.7 MB.
To communicate with Command and Control (C&C), the malware uses libcurl function. The malware can also execute arbitrary commands to shut down virtual machines with esxcli commands. Its operators can also interact with virtual machines through the console.
“When executed, the malware prints its configuration to the terminal. This includes the root path to encrypt, RSA key information, targeted file extensions to encrypt, C2 addresses, and more, as seen in figure 4. The C&C addresses are encrypted using a rotated XOR key, which will be decrypted when the malware is executed. The C&C addresses are encrypted using a rotated XOR key, which will be decrypted when the malware is executed,” researchers explain the specifics.
The malware then counts the encrypted files and exfiltrates information from the infected machine to the C&C server.
When done, the malware will encrypt the files using the ChaCha20 algorithm and the RSA 4096 key. After encryption, the malware creates a ransom note in the folder where the encrypted files are stored.
“Ransomwares remains one of the biggest threats to companies globally, especially when it comes to virtual machine servers that may contain multiple machines that are primary targets for Darkside malware,” researchers concluded.