Trend Micro cybersecurity researchers recently found a Linux variant of the dreaded Play ransomware strain targeting VMWare ESXi environments.
In a technical breakdown, Trend Micro’s Threat Hunting team said this was the first time Play had been observed targeting ESXi environments, and it could be that the criminals are expanding their attacks across the Linux platform, which would give them an expanded victim pool and more successful ransom negotiations.
Play was first detected more than two years ago and has since become popular for its double extortion tactics, evasion techniques, custom tools and “substantial impact” on businesses in Latin America, researchers said.
Prolific Puma and Revolver Rabbit
Enterprises typically use VMWare ESXi instances for virtual machines, where they host critical applications, data, and built-in backup solutions. By targeting these endpoints, Play operators could reduce the victim’s chances of recovering encrypted data. Therefore, their bargaining position becomes much better. In addition to attacking Linux endpoints, the new variant was also able to successfully evade security detections, Trend Micro added.
Analyzing the infrastructure used for these campaigns, researchers found a peculiarity: the URL used to host the encryptor is related to a threat actor known as Prolific Puma. This group is known for offering URL shortening services to criminals, making phishing attacks more convincing and therefore more disruptive.
In late 2023, Infoblox researchers uncovered a major link shortening operation in which criminals used a Registered Domain Generation Algorithm (RDGA) to create domain names in bulk. They then used those domains to provide a link shortening service to other malicious actors.
Earlier this month, the same company discovered that a threat actor called Revolver Rabbit was using RDGA to register over 500,000 domains, an effort they spent over $1 million on. The hacker used RDGA to create command-and-control (C2) domains and decoys for the XLoader information-stealing malware.
Through Hacker News
