The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

IceFire Ransomware Linux Variant

Mar 17, 2023 2:56:51 PM / by The Hivemind

IceFireVerticals Targeted: media, entertainment

Executive Summary

Sentinel Labs recently reported on a new Linux variant of IceFire ransomware. The threat actors responsible for IceFire exploit CVE-2022-47986 to deploy the ransomware. 

Key Takeaways

  • Sentinel Labs recently reported on a new Linux variant of IceFire ransomware. 
  •  The threat actors responsible for IceFire exploit CVE-2022-47986 to deploy the ransomware. 
  • IceFire encrypts files in both user and shared directories, appending the .ifire extension to the filename.

What is the IceFire Linux Variant?

Sentinel Labs recently reported on a new Linux variant of IceFire ransomware. The threat actors responsible for IceFire exploit CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex, to deploy the ransomware. The recent campaign has been active since at least February and targets entities in the media and entertainment vertical. The original Windows variant of IceFire was discovered in early 2022.

The IceFire Linux variant is a 2.18 MB 64-bit ELF binary. When the Linux variant is deployed, it downloads two payloads. When executed, IceFire encrypts files in both user and shared directories, appending the .ifire extension to the filename.

The IceFire Linux variant excludes the following file types and paths from encryption to ensure vital parts of the system will still work:

  • .cfg
  • .o
  • .sh
  • .img
  • .txt
  • .xml
  • .jar
  • .pid
  • .ini
  • .pyc
  • .a
  • .so
  • .run
  • .env
  • .cache
  • .xmlb
  • /boot
  • /dev
  • /etc
  • /lib
  • /proc
  • /srv
  • /sys
  • /usr
  • /var
  • /run


Following encryption, IceFire removes its binary to delete itself. IceFire’s ransom note instructs users to log into a ransom payment portal hosted on Tor. At present, the IceFire Linux variant is difficult to detect.

IOCs

PolySwarm has a sample of the IceFire Linux variant.

e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b

 

You can use the following CLI command to search for all IceFire Linux variant samples in our portal:

$ polyswarm link list -f IceFire


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, IceFire, CVE-2022-47986

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts