Ziggy

Ziggy is a malicious software (malware) known for its damaging and exploitative capabilities. This malware, along with xmrig, can be downloaded and executed via specific scripts. It is associated with various hosted files including TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, and xmr3.assi. The functions within this malware drop queries with keywords such as tmate, xmrig, and ziggy. Ziggy is notable for having hardcoded IRC servers in its binary, making it particularly resilient. The malware operates by evading detection from applications attempting to identify running processes within system containers. It achieves this by ensuring that the presence of tmate, xmrig, and ziggy cannot be identified by reading files under /proc. According to Ziggy Davies, a Threat Intelligence Analyst at WithSecure, this malware is part of a lineage of older ransomware operations. New groups largely follow established playbooks but play a crucial role in sustaining the high volume of ransomware attacks facing organizations today. Ziggy is also identified as a variant of the Tsunami botnet malware, specifically a Kaiten variant. This version maintains persistence by writing itself on the "/etc/rc.local" file and attempts to avoid detection by changing the name of the currently running process to "[kworker/0:0]". The Tsunami botnet malware used in this attack shares significant overlaps with the original source code, indicating a clear evolution from previous versions. Furthermore, Ziggy is a binary that packs an encrypted ELF, demonstrating its advanced and complex nature.