Verticals Targeted: Healthcare, Finance, Government, Manufacturing, Education, Information Technology, Retail, Transportation, Utilities, Telecommunications
Executive Summary
A new Linux variant of TargetCompany ransomware was recently discovered that uses a custom shell script to deliver and execute payloads in ESXi environments.
Key Takeaways
- A new Linux variant of TargetCompany ransomware was recently discovered.
- The new variant uses a custom shell script to deliver and execute payloads in VMware ESXi environments.
- TargetCompany’s Linux variant follows the trend of ransomware groups expanding their attacks to include critical Linux environments.
- Attacks leveraging the new TargetCompany variant have been attributed to a threat actor known as “vampire”.
What is TargetCompany?
A new Linux variant of TargetCompany ransomware was recently discovered. The new variant uses a custom shell script to deliver and execute payloads in VMware ESXi environments. This new method was not observed in previous TargetCompany variants. Trend Micro recently reported on this activity.
TargetCompany, also known as Mallox, FARGO, and Tohnichi, is a ransomware family first discovered in June 2021. The original TargetCompany targeted Windows devices. TargetCompany has historically leveraged database attacks on MySQL, Oracle, and SQL Server.
The ransomware has been observed targeting entities in Taiwan, South Korea, Thailand, India, Saudi Arabia, and the US. TargetCompany is known to target multiple verticals, including business services, healthcare, finance, government, manufacturing, education, information technology, retail, transportation, utilities, and telecommunications. TargetCompany evolved in September 20222 and began threatening to leak stolen victim data over Telegram.
TargetCompany’s Linux variant follows the trend of ransomware groups expanding their attacks to include critical Linux environments. The TargetCompany Linux variant assures it has administrative privileges before continuing its malicious activity. The threat actor uses a custom script to download and execute the ransomware payload. The script can also exfiltrate data to two separate servers for redundancy.
The variant checks for a VMware ESXi environment and encrypts files with a VM-related extension, such as vmdk, vmem, vswp, vmx, vmsn, and nvram. Encrypted files are appended with the .locked extension, and a ransom note is dropped. Finally, the shell script deletes the payload as an anti-analysis measure.
Trend Micro has attributed attacks involving the new TargetCompany variant to a threat actor known as “vampire”. While the threat actor’s origins are unknown, the C2 used in the attacks were traced to an ISP in China.
IOCs
PolySwarm has multiple samples of TargetCompany.
7c10256d9358d4cadb96b8160651172b6ac9a4bf898868823f7c76bf33cb823e
d736a71e6070e6f25ffe9507794544d841facc2e8a87f38a8280785332990553
1c8b6d5b79d7d909b7ee22cccf8f71c1bd8182eedfb9960c94776620e4543d13
You can use the following CLI command to search for all TargetCompany samples in our portal:
$ polyswarm link list -f TargetCompany
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.