Ransom.Linux.BLACKSUIT.THEODBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Malware File Path}\blacksuit_log_{number} → log file
• {Malware File Path}\PS_syslog_ → contains a list of processes with the string vmsyslogd in its name
• {Malware File Path}\PID_ → contains PID of the executed process
• {Malware File Path}\PS_list → contains PID of all running processes
• {Malware File Path}\list_ → contains a list of running virtual machines

Agrega los procesos siguientes:

• /bin/sh -c ps -Cc|grep vmsyslogd > PS_syslog_
• /bin/sh -c kill -9 {PID} → terminates processes with the string vmsyslogd in its name
• If -killvm is passed as an argument:
  • /bin/sh -c esxcli vm process list > list_
  • /bin/sh -c esxcli vm process kill --type=soft --world-id={World ID of the VM to terminate}

Otros detalles

Hace lo siguiente:

• It only encrypts VM related files by default.
• It terminates processes with the string vmsyslogd by default.
• Based on analysis of the codes, this malware has the following capabilities:
  • It can terminate VM processes using its World ID and VMX Cartel ID by executing the following commands:
    • /bin/sh -c lsof | egrep 'Cartel|%s' > CID_list_
    • /bin/sh -c esxcli vm process list > PID_list_
    • /bin/sh -c esxcli vm process kill --type=force --world-id={World ID or VMX Cartel ID of the VM to terminate}
  • It can drop the following files:
    • {Malware File Path}\CID_list_ → contains a list of VMX Cartel IDs
    • {Malware File Path}\PID_list_ → contains a list of running virtual machines