In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution.
Discovered in June 2021, The TargetCompany ransomware is tracked by Trend Micro as “Water Gatpanapun” and has a leak site under the name “Mallox.” We have observed that the group’s activity is highest in Taiwan, India, Thailand, and South Korea this year.
Since its discovery, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers.
Recently, our threat hunting team discovered a new variant of the TargetCompany ransomware specifically targeting Linux environments. This variant uses a shell script for payload delivery and execution (Figure 1).
This technique has not yet been observed in previous TargetCompany variants, indicating that the ransomware group has been continuously evolving to employ more sophisticated methods in its future attacks. This recently found Linux variant aligns with the recent trend of ransomware groups extending their attacks to critical Linux environments, thereby potentially increasing the range of target victims.
