.. /chmod

Star

An inbuilt utility that allows user’s to change file and folder permissions.

• https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
• https://www.reddit.com/r/esxi/comments/10txpje/i_was_attack_by_esxi_ransomware_and_the_attack/
• https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
• https://www.hybrid-analysis.com/sample/be5d2e94c2498ec052fb025e3348085e418c856dd43080501acfe2067ba54c41/6553b8f44c06e50d5408581f

Change File Permission

1. Change Execution Permission of a file.

   chmod a+x /tmp/<FILENAME>

   Use case

   An adversary modifies permissions of a file. For e.g. The execution flag is set on a ransomware payload prior to deployment.

   Privileges required

   User

   Operating systems

   ESXi

   Additional Procedural Examples

   • /bin/chmod a+w /usr/lib/vmware/hostd/docroot/index.html 2>1 >/dev/null

   • /bin/chmod a+w /usr/lib/vmware/hostd/docroot/ui/index.html 2>1 >/dev/null

   ATT&CK® technique

   T1222.002

   
   

   Tags

   E-Crime: Cyborg Spider

   Developed and operates Pysa ransomware

   E-Crime: Pysa

   This function was tagged with "E-Crime: Pysa".

2. Making a file writeable.

   /bin/chmod +w /var/spool/cron/crontabs/root

   Use case

   An adversary alters a file's permissions to allow write access. Once the file has been modified, they may revert it to more restrictive permissions to prevent it being edited by other users.

   Privileges required

   User

   Operating systems

   ESXi

   Additional Procedural Examples

   • /bin/chmod -w /var/spool/cron/crontabs/root

   • chmod +x $CLEAN_DIR/encrypt

   ATT&CK® technique

   T1222.002

   
   

   Tags

   E-Crime: Nevada

   Nevada Ransomware operates via an an affiliate program and has been reported to have carried out a campaign targeting any ESXi machine that is exposed to the internet