Cybersecurity researchers at Trend Micro recently discovered a Linux variant of the feared Play ransomware targeting VMWare ESXi environments.
In a technical analysis, Trend Micro’s Threat Hunting team indicated that this was the first time Play had targeted ESXi environments. It is possible that the attackers will expand their attacks to the Linux platform, allowing them to reach a larger victim base and conduct more successful ransom negotiations.
Play was first spotted more than two years ago and has since become popular for its double extortion techniques, evasion techniques, custom tools and “substantial impact” on businesses in Latin America, the researchers explained.
Productive Puma and Revolver Rabbit
Enterprises typically use VMWare’s ESXi instances for virtual machines, where they host critical applications, data, and integrated backup solutions. By targeting these endpoints, Play’s operators were able to reduce the chances of the victim being able to recover encrypted data, which greatly increases their bargaining power. In addition to targeting Linux endpoints, the new variant was also able to successfully bypass security detections, Trend Micro added.
While analyzing the infrastructure used for these campaigns, researchers discovered an oddity: the URL used to host the encryptor is associated with a threat actor known as Prolific Puma. This group is known for offering URL shortening services to criminals, making phishing attacks more convincing and therefore more disruptive.
In late 2023, researchers at Infoblox uncovered a large link shortening operation in which criminals would use a Registered Domain Generation Algorithm (RDGA) to create domain names in bulk. They would then use those domains to provide a link shortening service to other malicious actors.
Earlier this month, the same firm discovered a threat actor called Revolver Rabbit using RDGAs to register over 500,000 domains, an effort they spent over $1 million on. The hacker used the RDGA to create command and control (C2) and trick domains into hosting the XLoader infostealing malware.
Through The Hacker News