TLDR: I’m presenting some Yara rules I’ve created, two for ESXI ransomware, one for ransomware in general, and one for UPX-packed executables. Also, you should implement these sigma rules on your SIEM to detect this behavior.
Ransomware can disrupt companies and affect millions of people, like the case with IFX Networks, where dozens of government institutions and companies were affected. In this case, services of health, justice, and others from the Colombian government were affected by this ransomware attack. This type of attack happens when multiple controls don’t work or don’t exist, and we still don’t know what happened. In this blog, I want to explore detection opportunities on Yara and some public Sigma rules that can help us identify these attacks.
First, I started looking for the sample, but I didn’t manage to get the ransomware sample of this case as only it’s available on VT. However, since Malware Bazaar has some ESXI ransomware samples, I created some rules for these samples.
https://bazaar.abuse.ch/browse.php?search=tag%3Aesxi
At the time of writing, 13 elf executables were available, so I used them for this small project. From these files, 3 were written on rust, 1 was UPX-packed, and the rest were ransomware with usage or notes inside them. Based on this information, I created 4 rules based on the string identified.
YARA
First, there were some samples where the commands “esxcli vm process kill” and “esxcli vm process list” were used. This, plus the onion site inside the file, gave me the idea of identifying this using the rule “EXSI_Ransomware_esxcli”. I expect this to be effective as I don’t think many programs will use a .onion reference or documentation (at least I hope so).
Second, there were others where the usage was different. This reminded me of the script deployed during the ESXI zero-day months ago. I used their usage strings, and the rule “EXSI_Ransomware_script_Usage” was created.
Third, most ransomware samples had some notes inside them. I entered the words on these notes into a word counter and found some of the most common between them and some that were unique. The idea is to look for this group of words, but I think this rule can be even better by just getting more ransom notes and using them to create a better rule.
Lastly, I wrote a simple UPX-packed executable Yara rule. These rules will have many false positives. I’m working on setting up an ESXi server to test these rules, as I would like to know if it’s common to have UPX-packed executables on this system. If this was rare, the rule could be helpful to identify suspicious files.
SIGMA
The Sigma repository has many rules that can be helpful to detect malicious and suspicious behavior (https://github.com/SigmaHQ/sigma). The esxcli rules can help you identify many of the behaviors some of these ransoware would do. Ensure you have the logs from your ESXi servers’ (https://github.com/search?q=repo%3ASigmaHQ%2Fsigma+esxcli&type=code).
This was an interesting little project. I’m interested in doing something similar to Windows ransomware to see the similarities or differences. I hope this rules are helpfull and happy hunting.
rule EXSI_Ransomware_esxcli {
meta:
description = "Detects vm process interaction common in ransomware"
author = "Doubtful Frog"
date = "2023-09-22"
tags = "esxi"
strings:
$s1 = "esxcli vm process kill"
$s2 = "esxcli vm process list"
$s3 = /http(s|):\/\/[a-z0-9]{56}\.onion/
condition:
all of them
}
rule EXSI_Ransomware_script_Usage {
meta:
description = "Detects usage for ransomware script or elf"
author = "Doubtful Frog"
date = "2023-09-22"
tags = "esxi"
strings:
$s1 = "encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]"
$s2 = "enc_step - number of MB to skip while encryption"
$s3 = "enc_size - number of MB in encryption block"
$s4 = "file_size - file size in bytes (for sparse files)"
$s5 = "dec_step - number of MB to skip while encryption"
$s6 = "dec_size - number of MB in encryption block"
condition:
3 of them
}
rule Ransomware_suspicious_note {
meta:
description = "Detects common strings in ransomware programs and notes"
author = "Doubtful Frog"
date = "2023-09-22"
tags = "esxi"
strings:
$s1 = "encrypted"
$s2 = " data "
$s3 = " tor " nocase
$s4 = "ransom"
$s5 = /http(s|):\/\/[a-z0-9]{56}\.onion/
$s6 = "HOW_TO_DECRYPT" nocase
$s7 = " exfiltrated "
$s8 = "Stopping VMs" nocase
condition:
4 of them
}
rule UPX_packed_executable {
meta:
description = "Detects UPX packet executable"
author = "Doubtful Frog"
date = "2023-09-22"
tags = "esxi"
strings:
$s1 = "This file is packed with the UPX executable packer"
$s2 = "the UPX Team"
$s3 = "encodings"
$s4 = "fnmatch"
$s5 = "functools"
$s6 = "genericpath"
$s7 = "textwrap"
$s8 = "unittest"
condition:
$s1 or (5 of them)
}