Executive Summary
Sentinel Labs recently reported on a new Linux variant of IceFire ransomware. The threat actors responsible for IceFire exploit CVE-2022-47986 to deploy the ransomware.
What is the IceFire Linux Variant?
Sentinel Labs recently reported on a new Linux variant of IceFire ransomware. The threat actors responsible for IceFire exploit CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex, to deploy the ransomware. The recent campaign has been active since at least February and targets entities in the media and entertainment vertical. The original Windows variant of IceFire was discovered in early 2022.
The IceFire Linux variant is a 2.18 MB 64-bit ELF binary. When the Linux variant is deployed, it downloads two payloads. When executed, IceFire encrypts files in both user and shared directories, appending the .ifire extension to the filename.
The IceFire Linux variant excludes the following file types and paths from encryption to ensure vital parts of the system will still work:
|
|
Following encryption, IceFire removes its binary to delete itself. IceFire’s ransom note instructs users to log into a ransom payment portal hosted on Tor. At present, the IceFire Linux variant is difficult to detect.
IOCs
PolySwarm has a sample of the IceFire Linux variant.
e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b
You can use the following CLI command to search for all IceFire Linux variant samples in our portal:
$ polyswarm link list -f IceFire
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports