Type
Campaign
Actors
TargetCompany
Pub. date
May 2, 2024
Initial access
Password attackSoftware misconfig
Impact
RansomOp
Observed techniques
Password bruteforcingVulnerability exploitation
Observed tools
Mallox ransomwareAnyDeskRemcos RAT
Targeted technologies
Microsoft SQL Server
References
https://asec.ahnlab.com/en/64921/
Status
Finalized
Last edited
Jun 2, 2024 11:58 AM
Researchers investigated a series of ransomware attacks targeting poorly managed MS-SQL servers by the TargetCompany ransomware group. This group primarily installs Mallox ransomware, with recent analysis linking these incidents to earlier attacks involving Tor2Mine CoinMiner and BlueSky ransomware.
- Attack Methodology:
- The TargetCompany group exploits poorly managed MS-SQL servers using brute force and dictionary attacks.
- After gaining access via the SA account, they deploy Remcos RAT, a tool that allows remote administration but is also used maliciously for activities like keylogging, screen capture, and controlling webcams.
- Subsequent to Remcos RAT, other malware, including remote screen control software and AnyDesk, is installed for deeper system control.
- Use of Mallox Ransomware:
- Approximately 29 hours after initial access, Mallox ransomware is deployed to encrypt the infected system.
- Mallox operates by deleting volume shadow copies, disabling Windows recovery features, terminating certain processes, and altering registry keys to prevent system shutdowns during encryption.
- It propagates by accessing shared folders and collects system information, which it sends back to its command and control (C&C) server.
- Comparative Analysis with Previous Attacks:
- The same C&C server addresses and methodologies from these attacks match those used in previous campaigns involving the Tor2Mine CoinMiner and BlueSky ransomware, suggesting they are the work of the same threat group.
- Notably, a unique remote screen control malware identified in the recent attacks appears custom-made and was first seen in December 2022.