.. /touch

Star

Primarily used to create an empty file or to update the timestamp (modification and access time) of an existing file without changing its content.

• https://www.reddit.com/r/esxi/comments/10txpje/i_was_attack_by_esxi_ransomware_and_the_attack/
• https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire

Timestomp

1. Changes modification or access timestamps of a target file based on a reference file.

   /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/rc.local.d/local.sh

   Use case

   An adversary uses the modification and access timestamps of a references file and updates the same timestampts of a target file. This is to hinder analysis based on timestamps as the malicious file match the timestamps of a legitimate file.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/endpoints.conf

   • /bin/touch -r /usr/lib/vmware/busybox/bin/busybox /var/spool/cron/crontabs/root

   • /bin/touch -r /usr/lib/vmware/busybox/bin/busybox /bin/hostd-probe.sh

   ATT&CK® technique

   T1070.006

   
   

   Tags

   E-Crime: Nevada

   Nevada Ransomware operates via an an affiliate program and has been reported to have carried out a campaign targeting any ESXi machine that is exposed to the internet