VMRay's Linux Support - Release Highlights 2023.3 - VMRay

VMRay’s Linux Support – Release Highlights 2023.3

Aug 01st 2023

VMRay’s Linux Support: 

Release Highlights 2023.3

RELEASE HIGHLIGHTS

01 August 2023

Table of Contents

The Escalating Threat of
Linux Ransomware

As Linux-based systems gain prominence, particularly as server environments, the risk of malware targeting this operating system has escalated significantly over the past years. Effectively countering these threats necessitates the analysis of Linux ELF executables. In response to this critical need, VMRay has taken a significant step forward with the latest release, VMRay Platform version 2023.3 – this release represents a milestone as we have enhanced our flagship products, DeepResponse and TotalInsight, by incorporating the ability to analyze Linux ELF executables.

Ransomware attacks on Linux systems increased by 75% in 2022, with well-known threat actors like LockBit, Cl0p, and Hive increasingly deploying Linux versions. Even lesser-known groups are embracing Linux or even cross-platform capabilities. The focus on Linux servers is driven by the critical role in hosting services, leading to higher ransom demands and serving as strategic entry points for lateral movement within targeted attacks. Server environments, often foundational in Cloud deployments are well-known for their “always on, always available” and open-source nature, making them a beloved attack target and usable on-demand once infected.

This blog post delves into the significance of utilizing automated analysis for Linux ELF executables and highlights its relevance through an examination of the notorious Linux Hive Ransomware.

Dynamic Analysis of Linux ELF Executables

In the current release, VMRay Platform supports both static and dynamic analysis of 64bit Linux ELF executables built for x86 platforms. Whether one submits a sample manually through the console or automate the process via the API, our analysis platform promptly recognizes the sample type of the ELF executable.

Additionally, the default Ubuntu 22.04 LTS VM is automatically set as the target for the dynamic analysis, as shown in Figure 1.

VMRay Platform's file upload dialog recognizes the 64bit Linux ELF Executable and selects the Ubuntu 22.04 LTS VM for dynamic analysis.
Figure 1: VMRay Platform's file upload dialog recognizes the 64bit Linux ELF Executable and selects the Ubuntu 22.04 LTS VM for dynamic analysis.

Before the dynamic analysis takes effect, VMRay Platform conducts a static scan of the submitted file. This process involves lookups against Reputation and Anti-Virus engines, along with the extraction of artifacts such as strings from the ELF executable. Our VMRay Threat Identifiers (VTIs) and YARA rules play a crucial role in detecting and reporting any identified anomalies during this static scanning phase.

Moving on to the dynamic analysis: VMRay’s unique monitoring approach is capable of thoroughly inspecting and observing the execution behavior of the submitted Linux ELF executable. This approach allows us to gain deeper insights into the sample’s behavior during execution. All observed behavior, as well as artifacts collected throughout the dynamic analysis, are carefully evaluated to determine whether the sample exhibits malicious traits or not.

In Figure 2, we can observe how VMRay’s ability to track and report file operations contributes to the VTI detecting ransomware behavior, effectively triggering and raising the verdict of the sample. Additionally, our YARA rules are instrumental in directly identifying the submitted sample as the Linux variant of the well-known Hive ransomware.

VMRay Platform's VTIs detects the maliciousness of the submitted sample, and the YARA match reveals it to be Hive ransomware.
Figure 2: VMRay Platform's VTIs detects the maliciousness of the submitted sample, and the YARA match reveals it to be Hive ransomware.

The Files tab in the analysis report sheds lights on what happened during this ransomware attacks to files located on the system. As depicted in Figure 3-a, the ransomware searches various locations for files, encrypting and renaming them with new file extensions. As a result, the original content of these files is practically unusable and held hostage until a ransom is paid, potentially leading to a severe disruption of services running on this Linux server.

In Figure 3-b, we can observe the creation of a file called “HOW_TO_DECRYPT.txt”, commonly known as the ransom note. This file contains more detailed information about the incident provided by the operator of the ransomware. It is a common practise for attackers to drop the same ransom note in each directory where files have been encrypted, as indicated by the different paths, referred to as “Also Known As” in the screenshot below.

VMRay Platform's Files tab revealing the encrypted files and the added extensions.
Figure 3/a: VMRay Platform's Files tab revealing the encrypted files and the added extensions.
Figure 3/b: VMRay Platform's Files tab listing different paths to which the ransom note has been written to.

Taking a closer look at the YARA matches reported by VMRay, one of them triggers on the ransom note that has been written to the file named motd (also known as “message of the day”). Users are presented with the message located in this file every time they log into the system, which is an additional way of notifying the user about the data breach.

VMRay Platform's YARA matches detecting the dropped ransom note.
Figure 4/a: VMRay Platform's YARA matches detecting the dropped ransom note.
Hive writes the ransomware to the motd file, which is presented to the user after successful login.
Figure 4/b: Hive writes the ransomware to the motd file, which is presented to the user after successful login.

Note that the behavior-based monitoring approach utilized by VMRay Platform is not confused by this as static analysis via disassembly is not necessary to detect malicious behavior on our end.

Conclusion

The recently introduced Linux support by VMRay Platform adds the capability to perform both, static and dynamic analyses of Linux ELF executables.

Considering that Linux systems continue to face significant risks, the importance of having reliable and automated malware analysis solutions cannot be overstated. The results of such analysis can be utilized to enhance asset protection within organizations. This crucial step towards fortifying defenses allows our customers to stay one step ahead of the ever-evolving threat landscape, particularly for Linux environments.

Patrick Staubmann

Threat Researcher

Subscribe

Stay current on the threat landscape with industry-leading insights.

See VMRay in action.
Solve your own challenges.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator