{"id":36794,"date":"2023-02-07T13:56:39","date_gmt":"2023-02-07T12:56:39","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=36794"},"modified":"2023-04-13T10:38:50","modified_gmt":"2023-04-13T08:38:50","slug":"hide-your-hypervisor-analysis-of-esxiargs-ransomware","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/","title":{"rendered":"Hide your Hypervisor: Analysis of ESXiArgs Ransomware"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Attack_Vectors\" >Attack Vectors<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Analysis_of_ESXiArgs_Ransomware\" >Analysis of ESXiArgs Ransomware<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Recovery_Options\" >Recovery Options<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Steps_to_protect_your_Hypervisor\" >Steps to protect your Hypervisor<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Yara_rules\" >Yara rules<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#Indicators_of_Compromise\" >Indicators of Compromise<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/hide-your-hypervisor-analysis-of-esxiargs-ransomware\/#MITRE_ATT_CK_Mapping\" >MITRE ATT&amp;CK Mapping<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>In this blog post we will be analyzing the recent \u201cESXiArgs\u201d Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.<\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Attack_Vectors\"><\/span>Attack Vectors<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the past Ransomware targeting ESXi Hypervisors was largely human-operated as a later stage of general Ransomware attack, where other Assets (Clients, Servers) are encrypted first. Accessing these virtualization systems usually involves acquiring credentials first and changing configuration options to allow for remote access to the Hypervisor, where the ransomware is executed by the attacker through a <a  href=\"https:\/\/learn.microsoft.com\/en-us\/security\/compass\/human-operated-ransomware#human-operated-ransomware-attacks\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >\u201chands-on-keyboard\u201d attack<\/a>.<\/p>\n<p>This changed in late 2022 when Juniper Threat Labs first <a  href=\"https:\/\/blogs.juniper.net\/en-us\/threat-research\/a-custom-python-backdoor-for-vmware-esxi-servers\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >discovered a novel Backdoor<\/a> targeting ESXi Hypervisors. A few weeks later this Backdoor script would be the first post-exploitation component of an automated Ransomware campaign named \u201cESXiArgs\u201d (after the targeted systems and the file extension .args). The spread of ESXiArgs Ransomware surged starting on February 2<sup>nd<\/sup> 2023 when automated exploitation of the Vulnerability <a  href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-21974\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >CVE-2021-21974<\/a> hit many internet-facing ESXi deployments hosted with e.g. <a  href=\"https:\/\/blog.ovhcloud.com\/ransomware-targeting-vmware-esxi\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >OVH<\/a>, Hetzner and other Hosters around the world. The OpenSLP (Service Location Protocol) on Port 427\/tcp is exploited through a Heap-Overflow leading to Remote Code Execution on the ESXi system. <a  href=\"https:\/\/packetstormsecurity.com\/files\/162957\/VMware-ESXi-OpenSLP-Heap-Overflow.html\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Public exploitation tools<\/a> have been available since June 2021. According to the warning issued by <a  href=\"https:\/\/www.cert.ssi.gouv.fr\/alerte\/CERTFR-2023-ALE-015\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >CERT-FR<\/a> the vulnerability affects unpatched systems running the following ESXi versions:<\/p>\n<ul>\n<li>ESXi versions 7.x before ESXi70U1c-17325551<\/li>\n<li>ESXi versions 6.7.x before ESXi670-202102401-SG<\/li>\n<li>ESXi versions 6.5.x before ESXi650-202102101-SG<\/li>\n<\/ul>\n<p>At the time of writing there are nearly 2500 ESXi systems exposed to the Internet that are affected by ESXiArgs Ransomware as found by the search engine <a  href=\"https:\/\/search.censys.io\/search?resource=hosts&amp;sort=RELEVANCE&amp;per_page=25&amp;virtual_hosts=EXCLUDE&amp;q=services.http.response.body%3A+%22How+to+Restore+Your+Files%22+and+services.http.response.html_title%3A%22How+to+Restore+Your+Files%22&amp;ct=1\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Censys<\/a> (based on the Ransomnote being present on the ESXi Web Interface).<\/p>\n<p>&nbsp;<\/p>\n<h2><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-36797 size-large\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-censys-1024x502.png\" alt=\"\" width=\"1024\" height=\"502\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-1024x502.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-300x147.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-768x376.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-1536x752.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-2048x1003.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-24x12.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-36x18.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-censys-48x24.png 48w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/h2>\n<p style=\"text-align: center;\">Figure 1: Censys Search for ESXiArg victims<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Analysis_of_ESXiArgs_Ransomware\"><\/span>Analysis of ESXiArgs Ransomware<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img decoding=\"async\" class=\"size-large wp-image-36799 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-ransomnote-1024x488.png\" alt=\"\" width=\"1024\" height=\"488\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-1024x488.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-300x143.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-768x366.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-36x17.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote-48x23.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-ransomnote.png 1270w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 2: Ransomnote displayed on the ESXi Webinterface of a compromised system<\/p>\n<p>After the initial exploitation of CVE-2021-21974 the threat actors persist the \u201cvmtools.py\u201d Backdoor script that was previously analyzed by Juniper Threat Labs. The Web Shell consists of a HTTP Server on Port 8008 that accepts post requests with a specified command structure. Requests with the action \u201clocal\u201d run commands on the Hypervisor system and output to the web shell. Using the \u201cremote\u201d action the attackers can open a reverse shell to the specified host IP and port.<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-36803 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-vmtools.png\" alt=\"\" width=\"984\" height=\"827\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools.png 984w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools-300x252.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools-768x645.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools-24x20.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools-36x30.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-vmtools-48x40.png 48w\" sizes=\"(max-width: 984px) 100vw, 984px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 3: vmtools.py Script &#8211; used for a Web Shell<\/p>\n<p>Once persistence on the Hypervisor is achieved the threat actors transfer the Ransomware components to the system through an archive file called \u201carchieve.zip\u201d, which contains the Ransomnotes for the Web Interface and SSH Message of the Day as well as a Bash script and an ELF binary for the file encryption.<\/p>\n<p>ESXiArgs Ransomware is implemented in the Bash script while the supplied ELF binary is only used for the encryption process. Let\u2019s look at the script first:<\/p>\n<p>First ESXiArgs collects a list of disk and swap files for the configured VMs on the Hypervisor and renames them. In contrast to many other ESXi Ransomware implementations ESXiArgs does not use utilities like \u201cesxcli\u201d, \u201cvmware-cmd\u201d or \u201cvim-cmd\u201d to power down running VMs to be able to encrypt them, but rather it just terminates the vmx process. This action could potentially lead to errors or corruption of VM data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36805 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-kill.png\" alt=\"\" width=\"801\" height=\"190\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill.png 801w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill-300x71.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill-768x182.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill-24x6.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill-36x9.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-kill-48x11.png 48w\" sizes=\"(max-width: 801px) 100vw, 801px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 4: Information Gathering and killing vmx<\/p>\n<p>When encrypting VM data ESXiArgs iterates through a list of volumes and tries to encrypt VM storage and configuration files using intermitted encryption blocks. The information which file to encrypt is passed as arguments to the \u201cencrypt\u201d binary which we will analyze shortly.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-36807 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-encrypt-1024x309.png\" alt=\"\" width=\"1024\" height=\"309\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-1024x309.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-300x90.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-768x231.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-1536x463.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-24x7.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-36x11.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt-48x14.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-encrypt.png 1586w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 5: File Encryption Routine<\/p>\n<p>After encrypting the VM files the Ransomware drops two Ransomnotes: The first one will overwrite the vSphere Web Interface (see Figure 2) and the second one will overwrite the SSH Message of the Day to be displayed on Login.<br \/>\nTo cover their tracks and make following investigations more difficult ESXiArgs deletes Log-Files from the system.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36809 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-note2.png\" alt=\"\" width=\"628\" height=\"362\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-note2.png 628w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-note2-300x173.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-note2-24x14.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-note2-36x21.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-note2-48x28.png 48w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 6: Dropping the Ransomnote and deleting Log files<\/p>\n<p>Lastly ESXiArgs will remove it\u2019s persistence (e.g. via \/etc\/rc.local.d\/local.sh) and delete all artifacts used for the encryption process to act as an Anti-Analysis measure.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-36811 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-delete-1024x451.png\" alt=\"\" width=\"1024\" height=\"451\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-1024x451.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-300x132.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-768x338.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-1536x677.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-36x16.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete-48x21.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-delete.png 1602w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 7: Deletion of artifacts and persistence<\/p>\n<p>The ESXiArgs \u201cencrypt\u201d binary is a 64bit LSB ELF file with the debug information still intact. Still it only handles the actual file encryption it is relatively small with a file size of 48KB.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-36813 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-file-1024x52.png\" alt=\"\" width=\"1024\" height=\"52\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-1024x52.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-300x15.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-768x39.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-24x1.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-36x2.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file-48x2.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-file.png 1101w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 8: Information on the &#8220;encrypt&#8221; binary<\/p>\n<p>The binary features a usage dialog and requires the RSA Public Key, the file path and values for the intermitted encryption to be passed as arguments.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36815 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-help.png\" alt=\"\" width=\"679\" height=\"78\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-help.png 679w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-help-300x34.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-help-24x3.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-help-36x4.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-help-48x6.png 48w\" sizes=\"(max-width: 679px) 100vw, 679px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 9: Help menu for the &#8220;encrypt&#8221; binary<\/p>\n<p>The file encryption is done through a combination of asymmetric RSA and symmetric Sosemanuk algorithms. Sosemanuk is part of the eSTREAM portfolio and a relatively rare sight in Ransomware. From the debug information contained in the binary we suspect that the threat actors may have based their implementation on this <a  href=\"https:\/\/github.com\/cchcc\/SOSEMANUK\/blob\/master\/C\/SOSEMANUK.C\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Github repository<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-36817 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/esxiargs-crypto-1024x440.png\" alt=\"\" width=\"1024\" height=\"440\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-1024x440.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-300x129.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-768x330.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-1536x660.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-2048x880.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-24x10.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-36x15.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/esxiargs-crypto-48x21.png 48w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 10: Sosemanuk and RSA encryption routines<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Recovery_Options\"><\/span>Recovery Options<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before any recovery of virtual machines in attempted the ESXi Hypervisor should be secured and backed up. In some cases, the encryption may have failed to encrypt the VM data correctly and therefore some can be recovered. Enes Sonmez &amp; Ahmet Aykac from YoreGroup Tech Team have documented a recovery workflow <a  href=\"https:\/\/enes.dev\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >here<\/a>, which might help victims to restore their VMs in a timely manner. It seems that this process only applies to VM with \u201cthin provisioned\u201d storage though.<br \/>\nUpdate (2023-02-08): CISA released a recovery script for affected Hypervisors, you can find it on <a  href=\"https:\/\/github.com\/cisagov\/ESXiArgs-Recover\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >GitHub<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Steps_to_protect_your_Hypervisor\"><\/span>Steps to protect your Hypervisor<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>1 &#8211; <strong>Keep your Hypervisor up-to-date<\/strong>: Affected ESXi versions should be upgraded to the latest patch immediately. Versions that reached the End-of-Life in terms of vendor support should be decommissioned and migrated to a more recent version.<\/p>\n<p>2 &#8211; <strong>Do not expose your Hypervisor to the public Internet<\/strong>: This includes all management interfaces (LAN, IPMI) but also protocols and features such as SSH, OpenSLP, SNMP and vSphere (which should all be disabled by default). Network access to the Hypervisor should be restricted through a firewall.<\/p>\n<p>3 &#8211; <strong>Back up your Hypervisor<\/strong>: As with any other system affected by Ransomware, keeping Backups is a key step in restoring the service in a timely manner. This includes Virtual Harddisk files as well as VMware configuration data for the VMs.<\/p>\n<p>4 &#8211; <strong>Use Syslog to retain Logs<\/strong>: ESXiArgs and many other Hypervisor-specific Ransomware target Log files on the system for deletion to prevent further investigation, so it is important to export and store these logs safely.<\/p>\n<p>5 &#8211;<strong> Disable the execution of unsigned software<\/strong>: The configuration option <em>execInstalledOnly <\/em>restricts the ESXi to only execute so-called vSphere Installable Bundles (VIB) which refers to ESXi software components or VMware-approved third party applications. Any unsigned Ransomware binaries could therefore not be run on the system. It is important to understand that this configuration option should be persisted through UEFI SecureBoot (which requires a supported Hardware TPM) to defend against human-operated Ransomware. More information about this feature can be found <a  href=\"https:\/\/docs.vmware.com\/en\/VMware-vSphere\/7.0\/com.vmware.vsphere.security.doc\/GUID-9047A43D-BB1F-4878-A971-EEFCAC183C86.html\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >here<\/a>.<\/p>\n<p>6 &#8211; <strong>Review user authentication<\/strong>: User authentication should not be done through Active Directory to prevent Lateral Movement to the Hypervisor in case of a Domain Controller compromise. Local user accounts should be restricted to a Password Policy, limited authentication attempts and temporary lockouts if they fail to authenticate.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Yara_rules\"><\/span>Yara rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Yara rules for the Python, Bash and Binary files utilized by ESXiArgs Ransomware can be found in our <a  href=\"https:\/\/github.com\/SIFalcon\/Detection\/tree\/main\/Yara\/Malware\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Github repository<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>Samples<\/h3>\n<p>The Ransomware samples were procured through an <a  href=\"https:\/\/www.bleepingcomputer.com\/forums\/t\/782193\/esxi-ransomware-help-and-support-topic-esxiargs-args-extension\/page-14#entry5470686\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >affected victim on the BleepingComputer Forum<\/a>.<\/p>\n<p>11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66\u00a0 encrypt<\/p>\n<p>10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459\u00a0 encrypt.sh<\/p>\n<p>773d147a031d8ef06ee8ec20b614a4fd9733668efeb2b05aa03e36baaf082878\u00a0 vmtools.py<\/p>\n<h3>Filenames<\/h3>\n<p>vmtools.py<br \/>\nencrypt<br \/>\n\/tmp\/tmpy_8th_nb<br \/>\nnohup.out<br \/>\npublic.pem<br \/>\narchieve.zip<br \/>\nmotd<\/p>\n<h2><span class=\"ez-toc-section\" id=\"MITRE_ATT_CK_Mapping\"><\/span>MITRE ATT&amp;CK Mapping<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<table>\n<tbody>\n<tr>\n<td width=\"85\"><strong>Tactic<\/strong><\/td>\n<td width=\"85\"><strong>Technique<\/strong><\/td>\n<td width=\"123\"><strong>Description<\/strong><\/td>\n<td width=\"308\"><strong>Observable<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Reconnaissance<\/td>\n<td width=\"85\">Active Scanning: Vulnerability Scanning (T1595.002)<\/td>\n<td width=\"123\">Threat Actors behind ESXiArgs are actively scanning for vulnerable ESXi Servers<\/td>\n<td width=\"308\">CVE-2021-21974 artifacts<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Initial Access<\/td>\n<td width=\"85\">Exploit Public-Facing Application<\/p>\n<p>(T1190)<\/td>\n<td width=\"123\">Explotation of OpenSLP<\/td>\n<td width=\"308\">CVE-2021-21974 artifacts<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Execution<\/td>\n<td width=\"85\">Command and Scripting Interpreter: Python (T1059.006)<\/td>\n<td width=\"123\">Backdoor\/Web Shell implemented in Python<\/td>\n<td width=\"308\">vmtools.py<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Persistence<\/td>\n<td width=\"85\">Boot or Logon Initialization Scripts: RC Scripts (T1037.004)<\/td>\n<td width=\"123\">Persisting the Python backdoor<\/td>\n<td width=\"308\">\/etc\/rc.local.d\/local.sh<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Command and Control<\/td>\n<td width=\"85\">Non-Standard Port (T1571)<\/td>\n<td width=\"123\">Web Shell implemented in vmtools.py<\/td>\n<td width=\"308\">HTTP Post Server on Port 8008<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Command and Control<\/td>\n<td width=\"85\">Non-Standard Port (T1571)<\/td>\n<td width=\"123\">Reverse Shell implemented in vmtools.py<\/td>\n<td width=\"308\">Reverse Shell via specified port; default fallback: 427<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Execution<\/td>\n<td width=\"85\">Command and Scripting Interpreter: Unix Shell (T1059.004)<\/td>\n<td width=\"123\">Ransomware functionality is implemented in Bash<\/td>\n<td width=\"308\">encrypt.sh<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Impact<\/td>\n<td width=\"85\">Data Encrypted for Impact (T1486)<\/td>\n<td width=\"123\">VM data is encrypted via RSA+Sosemanuk<\/td>\n<td width=\"308\">encrypt binary<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Impact<\/td>\n<td width=\"85\">Service Stop (T1489)<\/td>\n<td width=\"123\">Ending a process to power down VMs<\/td>\n<td width=\"308\">Killing the vmx process in encrypt.sh<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Impact<\/td>\n<td width=\"85\">Defacement: External Defacement (T1491.002)<\/td>\n<td width=\"123\">Defacement of the vSphere Web Interface<\/td>\n<td width=\"308\">Overwriting index.html with the Ransomnote<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Impact<\/td>\n<td width=\"85\">Defacement: Internal Defacement (T1491.001)<\/td>\n<td width=\"123\">Defacement of the SSH MOTD<\/td>\n<td width=\"308\">Overwriting motd with the Ransomnote<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Defense Evasion<\/td>\n<td width=\"85\">Indicator Removal: Clear Linux or Mac System Logs (T1070.002)<\/td>\n<td width=\"123\">Log file deletion<\/td>\n<td width=\"308\">Deleting all .log files<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today many businesses rely on virtualization technology to run and scale their infrastructure. One of the most popular Hypervisor systems on the market is VMware ESXi, which is regularly targeted in Ransomware attacks for the last 3+ years to increase damage to the victims IT systems.<\/p>\n","protected":false},"author":6,"featured_media":36795,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[86,81,257],"tags":[266,265,240,267],"dpc_coauthors":[],"class_list":["post-36794","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident-response","category-techtalk","category-vulnerabilities","tag-analyse","tag-esxiargs","tag-malware","tag-ransomware"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/36794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=36794"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/36794\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/36795"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=36794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=36794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=36794"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=36794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}