The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

TargetCompany Ransomware Linux Variant

Jun 10, 2024 2:25:02 PM / by The Hivemind

TARGETCOMPANYVerticals Targeted: Healthcare, Finance, Government, Manufacturing, Education, Information Technology, Retail, Transportation, Utilities, Telecommunications

Executive Summary

A new Linux variant of TargetCompany ransomware was recently discovered that uses a custom shell script to deliver and execute payloads in ESXi environments. 

Key Takeaways

  • A new Linux variant of TargetCompany ransomware was recently discovered. 
  • The new variant uses a custom shell script to deliver and execute payloads in VMware ESXi environments.
  • TargetCompany’s Linux variant follows the trend of ransomware groups expanding their attacks to include critical Linux environments.
  • Attacks leveraging the new TargetCompany variant have been attributed to a threat actor known as “vampire”.

What is TargetCompany?

A new Linux variant of TargetCompany ransomware was recently discovered. The new variant uses a custom shell script to deliver and execute payloads in VMware ESXi environments. This new method was not observed in previous TargetCompany variants. Trend Micro recently reported on this activity. 

TargetCompany, also known as Mallox, FARGO, and Tohnichi, is a ransomware family first discovered in June 2021. The original TargetCompany targeted Windows devices. TargetCompany has historically leveraged database attacks on MySQL, Oracle, and SQL Server. 

The ransomware has been observed targeting entities in Taiwan, South Korea, Thailand, India, Saudi Arabia, and the US. TargetCompany is known to target multiple verticals, including business services, healthcare, finance, government, manufacturing, education, information technology, retail, transportation, utilities, and telecommunications. TargetCompany evolved in September 20222 and began threatening to leak stolen victim data over Telegram. 

TargetCompany’s Linux variant follows the trend of ransomware groups expanding their attacks to include critical Linux environments. The TargetCompany Linux variant assures it has administrative privileges before continuing its malicious activity. The threat actor uses a custom script to download and execute the ransomware payload. The script can also exfiltrate data to two separate servers for redundancy. 

The variant checks for a VMware ESXi environment and encrypts files with a VM-related extension, such as vmdk, vmem, vswp, vmx, vmsn, and nvram. Encrypted files are appended with the .locked extension, and a ransom note is dropped. Finally, the shell script deletes the payload as an anti-analysis measure. 

Trend Micro has attributed attacks involving the new TargetCompany variant to a threat actor known as “vampire”. While the threat actor’s origins are unknown, the C2 used in the attacks were traced to an ISP in China. 

IOCs

PolySwarm has multiple samples of TargetCompany.

 

7c10256d9358d4cadb96b8160651172b6ac9a4bf898868823f7c76bf33cb823e

d736a71e6070e6f25ffe9507794544d841facc2e8a87f38a8280785332990553

1c8b6d5b79d7d909b7ee22cccf8f71c1bd8182eedfb9960c94776620e4543d13

 

You can use the following CLI command to search for all TargetCompany samples in our portal:

$ polyswarm link list -f TargetCompany

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.



Topics: Threat Bulletin, Ransomware, Linux, Asia, APAC, TargetCompany, ESXi

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts