Ziggy

Malware updated 4 months ago (2024-05-04T22:19:03.639Z)

Download STIX

Preview STIX

Ziggy is a malicious software (malware) known for its damaging and exploitative capabilities. This malware, along with xmrig, can be downloaded and executed via specific scripts. It is associated with various hosted files including TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, and xmr3.assi. The functions within this malware drop queries with keywords such as tmate, xmrig, and ziggy. Ziggy is notable for having hardcoded IRC servers in its binary, making it particularly resilient. The malware operates by evading detection from applications attempting to identify running processes within system containers. It achieves this by ensuring that the presence of tmate, xmrig, and ziggy cannot be identified by reading files under /proc. According to Ziggy Davies, a Threat Intelligence Analyst at WithSecure, this malware is part of a lineage of older ransomware operations. New groups largely follow established playbooks but play a crucial role in sustaining the high volume of ransomware attacks facing organizations today. Ziggy is also identified as a variant of the Tsunami botnet malware, specifically a Kaiten variant. This version maintains persistence by writing itself on the "/etc/rc.local" file and attempts to avoid detection by changing the name of the currently running process to "[kworker/0:0]". The Tsunami botnet malware used in this attack shares significant overlaps with the original source code, indicating a clear evolution from previous versions. Furthermore, Ziggy is a binary that packs an encrypted ELF, demonstrating its advanced and complex nature.

Description last updated: 2024-05-04T21:43:59.982Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kaiten	2	Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The
Tsunami	2	The "Tsunami" malware, a malicious software designed to exploit and damage computer systems, has caused significant cybersecurity disruptions globally. This malware, whose variants include xmrigDeamon, Bioset, dns3, xmrigMiner, docker-update, dns, 64[watchdogd], 64bioset, 64tshd, armbioset, armdns,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bot

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ziggy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	2023 ransomware statistics: Number of double-extortion attacks skyrocket
CERT-EU	10 months ago	New ransomware groups help drive surge in attacks – Global Security Mag Online
CERT-EU	10 months ago	New ransomware groups account for a quarter of all leaks
Securityaffairs	a year ago	New Tsunami botnet targets Linux SSH servers
CERT-EU	a year ago	New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
MITRE	2 years ago	Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
CERT-EU	a year ago	New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices
CERT-EU	a year ago	Hackers Attack Linux SSH Servers with Tsunami DDoS Malware