Type
Campaign
Actors
Pub. date
May 2, 2024
Initial access
Password attackSoftware misconfig
Impact
RansomOp
Observed techniques
Observed tools
Targeted technologies
References
Status
Finalized
Last edited
Jun 2, 2024 11:58 AM
Researchers investigated a series of ransomware attacks targeting poorly managed MS-SQL servers by the TargetCompany ransomware group. This group primarily installs Mallox ransomware, with recent analysis linking these incidents to earlier attacks involving Tor2Mine CoinMiner and BlueSky ransomware.
- Attack Methodology:
- The TargetCompany group exploits poorly managed MS-SQL servers using brute force and dictionary attacks.
- After gaining access via the SA account, they deploy Remcos RAT, a tool that allows remote administration but is also used maliciously for activities like keylogging, screen capture, and controlling webcams.
- Subsequent to Remcos RAT, other malware, including remote screen control software and AnyDesk, is installed for deeper system control.
- Use of Mallox Ransomware:
- Approximately 29 hours after initial access, Mallox ransomware is deployed to encrypt the infected system.
- Mallox operates by deleting volume shadow copies, disabling Windows recovery features, terminating certain processes, and altering registry keys to prevent system shutdowns during encryption.
- It propagates by accessing shared folders and collects system information, which it sends back to its command and control (C&C) server.
- Comparative Analysis with Previous Attacks:
- The same C&C server addresses and methodologies from these attacks match those used in previous campaigns involving the Tor2Mine CoinMiner and BlueSky ransomware, suggesting they are the work of the same threat group.
- Notably, a unique remote screen control malware identified in the recent attacks appears custom-made and was first seen in December 2022.