# Revix Linux Ransomware

**angle.ankura.com/post/102hcny/revix-linux-ransomware**

Vishal Thakur

In the first half of 2021, we started to see the REvil ransomware operators pivot to targeting
Linux-based systems with a new Linux version of their ransomware, similar to the malware
they commonly used on Windows systems. Since then, there have been a few versions of
this Linux-based malware.

In this post, we look at the latest version of their Linux-based ransomware "1.2a".

## Quick Snapshot:

The malicious file is a Linux executable

Class: ELF64

Type: Dynamically Linked

Machine: X86-64

Number of section headers: 28

Entry Point: 0x401650

callq: __libc_start_main@plt

MD5: c83df66c46bcbc05cd987661882ff061

Yara Rules:


-----

[https://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revil.yar](https://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revil.yar)
[https://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revix.yar](https://github.com/YaraExchange/yarasigs/blob/master/ransomware/crime_lin_revix.yar)

## Introduction

The execution of this malware is straightforward. It traverses through the directories specified
as targets and encrypts the files present in those directories. Once encryption is complete, it
drops a ransom note in the directory with the usual ransom message and instructions on
paying the threat actor to get the decryption key.

This variant of Revix requires a couple of parameters to be passed to execute successfully. It
also requires escalated privileges to run and encrypt files on the disk successfully.
Additionally, the malware checks the files in the target directories to see if they are already
encrypted.

One of the main targets for this malware is VMware ESX platform's, which we've seen before
[in a different Linux ransomware from DarkSide.](https://www.trendmicro.com/en_au/research/21/e/darkside-linux-vms-targeted.html)

## Analysis

For this post, we analyzed Revix both statically and dynamically. Both methodologies have
been used together throughout the analysis process presented below.

Let’s take a quick look at a couple of sections of this executable so that we have the offsets
to some of the initial calls that can be used for further analysis.


-----

**Header:**

_Figure 1: Header Information_

**Section .init:**

This section holds executable instructions that need to be executed before the main program
entry point.

_Figure 2: section_

**Section .text:**

This section contains executable code.

_Figure 3: section_

## Functions


-----

Revix loads several functions upon initialization. Following are some of the more interesting
functions we can extract useful information from, to understand the flow of execution, along
with developing threat detections that we've provided at the end of this post.

We execute the malware while attached to a debugger and break at the main function to
view these functions presented below. Once we hit the main function, we follow the jump to
'puts' function to look at the CPU at that location. We can see all the loaded functions at this
point.

_Figure 4: Malware functions loaded upon initialization_

_Figure 5: Function sequence during execution_

## Initialization

Let's take a quick look at the program initialization:

The malware requires to be run with a couple of command-line arguments. We can see
these being passed through the stack in the image below/

_Figure 6: Parameters for the command-line arguments_

The image below shows another view from the CPU that shows the program execution in
flight


-----

_Figure 7: Program execution in flight_

_Figure 8: Stack view_

## Execution

When executed as a non-privileged user, the malware is not able to achieve full execution.

As shown in the image below, the malware has been provided with the directory 'here/' for
this analysis.

_Figure 9: Write execution on dir_

The malware tries to access the data in this directory for read/write and is unsuccessful, as
shown below.

_Figure 10: getdent64 unsuccessful_

The malware also tries to encrypt a test file that we used in our analysis, but the encryption
process fails as that action requires higher privileges.

_Figure 11: Encryption unsuccessful_

As a result, the execution fails to achieve the desired outcome for the malware, as shown
below.


-----

_Figure 12: Encryption failed_

Another point of interest from this failed execution is that the malware attempted to execute a
esxcli command but this action fails as there is no esxcli on our test machine.

_Figure 13: esxcli not found_

When we execute Revix with elevated privileges, we start to see more successful activity
from the malware.

Firstly, Revix can access the data in the target directory.

_Figure 14: getdents64 successful_

We can see in the image above, the system call ‘getdents’. This system call returns directory
entries for the directory it’s run against.

_Figure 15: getdents64(2) Synopsis_

In this case, there are three entries as we can see from the result shown in the image above.

Next, we can see that Revix is able to perform read/write functions on the data in the target
directories, resulting in successful encryption of files.

_Figure 16: Encryption successful_

The Revix output below shows that it can write the ransom note text file to the victim's disk.


-----

_Figure 17: Ransom note write successful_

Finally, we can see that the execution is completed successfully, resulting in the data present
in the target directory being encrypted:

_Figure 18: Execution complete_

The file we provided in the target directory is now encrypted, and a ransom note is created in
the same directory:

_Figure 19: Execution complete, file encrypted_

The malware also checks if the data in the target directory is already encrypted. To
demonstrate this, we ran Revix against the same target directory one more time.

Upon execution, Revix runs a check on the data present in the target directory and identifies
it to be already encrypted:

_Figure 20: Encryption check performed_

As a result, the execution ends up with no data being encrypted.


-----

_Figure 21: Execution complete_

## VMware ESX Targeting

Revix also tries to use esxcli, the command line interface for VMware’s ESX platform.

Let's take a quick look at the parameters passed to esxcli by Revix when it executes:

_esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk_
_-F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'_

**vm process list**

List the virtual machines on this system. This command currently will only list running VMs
on the system.

**vm process kill**

Used to forcibly kill Virtual Machines that are stuck and not responding to normal stop
operations.

**--type**

There are three types of VM kills that can be attempted: [soft, hard, force].

**--world-id | -w**

The World ID of the Virtual Machine to kill. This can be obtained from the 'vm process list'
command (required)

Essentially, these ESX command-line arguments are shutting down all virtual machines
running on the ESX platform.

Revix attempts to target the '/vmfs' directory and encrypt all the data present in that directory,
so all the virtual machines are rendered inoperable until the data is decrypted. This targeting
is similar to that seen in DarkSide's Linux variant.

## Command-line Arguments

The malware requires the following parameters to be passed for its execution to begin:

**elf.exe --path /vmfs/ --threads 5**

It also allows the '--silent' option that executes the malware without stopping any VMs

**--silent (-s) use for not stoping VMs mode ***


-----

**Parameter** **Purpose**

--path Specifies the path of the data that needs to be encrypted

--threads Specifies the number of threads, by default the malware uses 50 threads

--silent Executes the malware without stopping the VMs running on ESX

## Configuration

The configuration of Revix is similar to that of its Windows variant, only with fewer fields.

**Field** **Description**

pk Public Key

pid ID

Sub Tag

Dbg Debug mode

nbody Base64-encoded body of the ransom-note

nname Filename of the ransom-note

rdmcnt Readme Count

ext File extension of the encrypted files

Here's an image showing the configuration we were able to extract from the sample we
analysed:


-----

_Figure 22: Configuration_

## Profiling

Revix also gathers information about the victim machine by running the "uname" command:

**uname -a && echo " | " && hostname**

_Figure 23: System profiling_

The results of the above command appear in the stack:

_Figure 24: Stack view of system profiling in action_

The info is then passed through the registers:


-----

_Figure 25: Register view od system profiling in action_

And the end-result is created in the form of this configuration with the victim information:

_Figure 26: System profiling complete_

## Encryption

The malware uses Salsa20 encryption algorithm, just like its Windows variant, to encrypt the
data. Here is the pseudocode for the function that implements this encryption:

_Figure 27: Pseudo-code for the encryption algorithm_


-----

## Mitigation

### Detections

**Commands**

Revix runs this command to determine machine info:

_uname -a && echo " | " && hostname_

Revix tries to query this directory:

_/dev/urandom_

Revix runs the below command to stop VMs running on the ESX platform in order to encrypt
the data on those VMs:

_esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk_
_-F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'_

Typos:

In some instances, typos that malware authors commit to the code are useful in detecting
specific malware or similar code used in other malware families. Below are some of the typos
we found in this variant of Revix:

_--silent (-s) use for not stoping VMs mode_

**_semms to be protected by os but let's encrypt anyway…_**

## YARA Ruleset 1


-----

rule Revix {

meta:

description = "Detects REvil Linux - Revix 1.1 and 1.2"

author = "Josh Lemon"

reference = "https://angle.ankura.com/post/102hcny/revix-linux-ransomware"

date = "2021-11-04"

version = "1.0"

hash1 =
"f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5"

hash2 = "559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7"

hash3 =
"ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4"

strings:

$s1 = "Usage example: elf.exe --path /vmfs/ --threads 5" fullword ascii

$s2 = "uname -a && echo \" | \" && hostname" fullword ascii

$s3 = "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm
process list" ascii

$s4 = "awk -F \"\\\"*,\\\"*\" '{system(\"esxcli" ascii

$s5 = "--silent (-s) use for not stoping VMs mode" fullword ascii

$s6 = "!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!" fullword ascii

$s7 = "%d:%d: Comment not allowed here" fullword ascii

$s8 = "Error decoding user_id %d " fullword ascii

$s9 = "Error read urandm line %d!" fullword ascii

$s10 = "%d:%d: Unexpected `%c` in comment opening sequence" fullword ascii

$s11 = "%d:%d: Unexpected EOF in block comment" fullword ascii

$s12 = "Using silent mode, if you on esxi - stop VMs manualy" fullword ascii

$s13 = "rand: try to read %hu but get %lu bytes" fullword ascii

$s14 = "Revix" fullword ascii

$s15 = "without --path encrypts current dir" fullword ascii    $e1 = "[%s] already
encrypted" fullword ascii

$e2 = "File [%s] was encrypted" fullword ascii

$e3 = "File [%s] was NOT encrypted" fullword ascii

$e4 = "Encrypting [%s]" fullword ascii

condition:

uint16(0) == 0x457f and filesize

}

## YARA Ruleset 2

/*

author = "Vishal Thakur - malienist.medium.com"

date = "2021-11-15"

version = "1"


-----

description = Detects Revix 1.2a and earlier versions of Revix
info = "Generated from information extracted from the malware sample by manual
analysis."
*/

import "pe"

rule revixStatic {

strings:

$header = { 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00
50 16 40 00 00 00 00 00 }

$config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75
62 22 3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22
2C 22 73 6B 22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22
?? ?? 22 7D }

$uname = { 75 6E 61 6D 65 20 2D 61 20 26 26 20 65 63 68 6F }

condition:

all of them and

filesize

}

rule revixCode {

strings:

$err1 = { 45 72 72 6F 72 20 6F 70 65 6E 20 75 72 61 6E 64 6D }

$err2 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6D 61 73 74 65 72 5F 70 6B }

$err3 = { 66 61 74 61 6C 20 65 72 72 6F 72 2C 6D 61 73 74 65 72 5F 70 6B 20 73 69
7A 65 20 69 73 20 62 61 64 }

$err4 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 75 73 65 72 5F 69 64 }

$err5 = { 45 72 72 6F 72 20 64 65 63 6F 64 69 6E 67 20 6E 6F 74 65 5F 62 6F 64 79 }

$form1 = { 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 ?? ?? }

$form2 = { 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 ?? ?? }

$config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75
62 22 3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22
2C 22 73 6B 22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22
?? ?? 22 7D }

condition:


-----

all of them and

filesize

}

rule revixESX {

strings:

$cmd1 = { 65 73 78 63 6C 69 }

$cmd2 = { 2D 66 6F 72 6D 61 74 74 65 72 3D ?? ?? ?? }

$cmd3 = { 2D 2D 66 6F 72 6D 61 74 2D 70 61 72 61 6D }

$cmd4 = { 76 6D 20 70 72 6F 63 65 73 73 20 6C 69 73 74 }

$cmd5 = { 65 73 78 63 6C 69 20 76 6D 20 70 72 6F 63 65 73 73 20 6B 69 6C 6C }

$cmd6 = { 2D 2D 77 6F 72 6C 64 2D 69 64 3D 22 ?? ?? ?? }

$config = { 7B 22 76 65 72 22 3A ?? ?? 2C 22 70 69 64 22 3A 22 ?? ?? 22 2C 22 73 75
62 22 3A 22 ?? ?? 22 2C 22 70 6B 22 3A 22 ?? ?? 22 2C 22 75 69 64 22 3A 22 ?? ?? 22
2C 22 73 6B 22 3A 22 ?? ?? 22 2C 22 6F 73 22 3A 22 ?? ?? 22 2C 22 65 78 74 22 3A 22
?? ?? 22 7D }

condition:

all of them and

filesize

}

rule revixPE {

condition:

pe.entry_point == 0x401650

}

## Conclusion

As we can see in the analysis shown above, the execution of Revix is a bit clunky in this
variant. It requires multiple conditions to be met before the ransomware is successful in
encrypting data.


-----

Revix needs to be executed as a command-line argument with elevated privileges, specified
target directories, and the number of threads. Basically, it's not a standalone application at
this time and is quite noisy as well.

If Revix is not run with silent mode enabled, it will try to stop any VMWare ESX virtual
machines, triggering incident response processes from the victim. Revix could quite possibly
fail to encrypt the virtual machines due to reduced/restricted access of where they reside on
a Linux system.

As new variants for the Revix ransomware are released, we expect the execution to be more
efficient, requiring fewer manual processes from the threat actor.

## References

[ESXi 7.0 U3 ESXCLI Command Reference](https://developer.vmware.com/docs/14743/esxi-7-0-u3-esxcli-command-reference/namespace/esxcli_vm.html)

[DarkSide on Linux: Virtual Machines Targeted - Naiim, M.,2021](https://www.trendmicro.com/en_au/research/21/e/darkside-linux-vms-targeted.html)

[getdents64(2) - Linux man page](https://linux.die.net/man/2/getdents64)

[Code Analysis details by Intezer Analyse](https://analyze.intezer.com/files/f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5)

_© Copyright 2021. The views expressed herein are those of the author(s) and not_
_necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its_
_affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice._


-----