While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.
Similar to previous cases, this attack targeted improperly managed MS-SQL servers. The threat group is suspected to have targeted the MS-SQL server with brute force and dictionary attacks, subsequently installing Remcos RAT after logging into the SA account. Four hours after the attack, they further installed remote screen control malware using Remcos RAT. It is suspected that the threat actors investigated and exfiltrated information from the infected system through these malware. In another attack, the threat group attempted to install the Mallox ransomware 29 hours later to encrypt the infected system.
1. Remcos RAT
Remcos is a commercially available Remote Administration Tool (RAT) marketed for remote management purposes. However, like other Remote Access Trojan (RAT) malware, it supports malicious functionalities such as keylogging, screenshot capture, control of webcams and microphones, as well as extraction of web browser history and passwords from systems. Because of these capabilities, various threat actors use it for malicious purposes [1].
While Remcos is often distributed as attachments to spam emails or disguised as cracks, it is also frequently used alongside Cobalt Strike in attacks targeting poorly managed MS-SQL servers for the purpose of controlling infected systems [2]. Around May 2023, after seizing control of an MS-SQL server, it was distributed by abusing the SQLPS utility instead of PowerShell in order to evade detection by security products.
The recently confirmed attack also targeted a poorly managed server, and the SQLPS tool was used during the malware installation process.
The Remcos RAT used in the attack is version 4.9.3 Light. Unlike the Pro version, the Light version does not support features such as keylogging or screenshot capture. Below is the configuration data that was decrypted during the execution of Remcos RAT along with a portion of the major configurations.
Configuration | Data |
---|---|
Host:Port:Password | 80.66.75[.]238:3388:1 |
Assigned name | RemoteHost |
Connect interval | 1 |
Mutex | Rmc-8P1R4F |
Keylog flag | Disabled |
Keylog path | Application path |
Keylog file | logs.dat |
Screenshot flag | Disabled |
Screenshot time | 10 |
Screenshot path | AppData |
Screenshot file | Screenshots |
Audio record time | 5 |
Audio folder | MicRecords |
Copy folder | Remcos |
Keylog folder | remcos |
The threat group used Remcos RAT to install additional malware, with the initial installation being AnyDesk and malware that allows control of infected systems through added user accounts. This suggests that the Remcos used in the attack is the Light version, likely for smooth remote control. Furthermore, in another attack, a case was confirmed where, after approximately 29 hours, the threat group attempted to install the Mallox ransomware to encrypt the infected system.
2. Remote Screen Control Malware
Four hours after the initial infection, the threat actors used Remcos RAT to install additional malware that added remote control functionality. This malware first connects to the “creds” address on a C&C server to download a string. While it was not possible to establish a connection to the C&C server at the time of analysis, it is presumed that the malware could download a string in the “ID;PW” format. This string is then used to add a user account and register it to the administrator group.
URL | Description |
---|---|
https://{C&C Server}/creds | Downloads user account string to be added (ID;PW format) |
https://{C&C Server}/secret | Downloads password string to be specified when installing AnyDesk |
https://{C&C Server}/desk | Downloads the AnyDesk installer (MSI) |
https://{C&C Server}/gate/{AnyDesk_ID} | Sends the ID for the installed AnyDesk instance |
Afterward, it connects to the “secret” address to download a string, which serves as the password that will be specified after the installation of AnyDesk. It then verifies the existence of the “AnyDeskMSIAnyDeskMSI.exe” file in the Program Files path. If AnyDesk is not installed, it downloads and installs the AnyDesk MSI format installation file from the “desk” address. Once these steps are completed, it sets the downloaded password from the C&C server to AnyDesk and obtains the ID of the installed AnyDesk. Finally, it transmits this ID to the “gate” address.
Argument | Description |
---|---|
–start-service | Starts the AnyDesk service |
–set-password | Sets a password for AnyDesk |
–restart-service | Restarts the AnyDesk service |
–get-id | Finds the ID of the installed AnyDesk |
The threat actors could access the infected system using the AnyDesk ID received from the C&C server, and they would have been able to authenticate using the password transmitted via “secret” and gain control over the infected system. Additionally, with the added account information, they should have been able to log in to the infected system via Remote Desktop Protocol (RDP) and perform remote screen control.
3. Mallox Ransomware
Mallox, along with Trigona and BlueSky, is one of the prominent ransomware strains that target poorly managed MS-SQL servers [4]. The threat actors also installed Mallox using Remcos RAT on another system.
Overview | Description |
---|---|
Encryption algorithm | AES-256 / SHA-256,AES-128-CTR [5] |
Encryption extension | “.rmallox” |
Ransom note filename | “HOW TO BACK FILES.txt” |
Prioritized extensions for encryption | “.bak”, “.zip”, “.rar”, “.7z”, “.gz”, “.sql”, “.mdf”, “.hdd”, “.vhd”, “.vdi”, “.vmx”, “.vmdk”, “.nvram”, “.vmem”, “.vmsn”, “.vmsd”, “.vmss”, “.lck”, “.vhdx”, “.vhd”, “.dbf”, “.ora”, “.oraenv”, “.dmp”, “.ibd”, “.mdb”, “.smd”, “.mdb” |
Paths excluded from encryption | “msocache”, “$windows.~ws”, “system volume information”, “intel”, “appdata”, “perflogs”, “programdata”, “google”, “application data”, “tor browser”, “boot”, “$windows.~bt”, “mozilla”, “boot”, “windows.old”, “Windows Microsoft.NET”, “WindowsPowerShell”, “Windows NT”, “Windows”, “Common Files”, “Microsoft Security Client”, “Internet Explorer”, “Reference”, “Assemblies”, “Windows Defender”, “Microsoft ASP.NET”, “Core Runtime”, “Package”, “Store”, “Microsoft Help Viewer”, “Microsoft MPI”, “Windows Kits”, “Microsoft.NET”, “Windows Mail”, “Microsoft Security Client”, “Package Store”, “Microsoft Analysis Services”, “Windows Portable Devices”, “Windows Photo Viewer”, “Windows Sidebar” |
Files excluded from encryption | “desktop.ini”, “ntuser.dat”, “thumbs.db”, “iconcache.db”, “ntuser.ini”, “ntldr”, “bootfont.bin”, “ntuser.dat.log”, “bootsect.bak”, “boot.ini”, “autorun.inf”, “debugLog.txt”, “TargetInfo.txt” |
Extensions excluded from encryption | “.msstyles”, “.icl”, “.idx”, “.avast”, “.rtp”, “.mallox”, “.sys”, “.nomedia”, “.dll”, “.hta”, “.cur”, “.lock”, “.cpl”, “.Globeimposter-Alpha865qqz”, “.ics”, “.hlp”, “.com”, “.spl”, “.msi”, “.key”, “.mpa”, “.rom”, “.drv”, “.bat”, “.386”, “.adv”, “.diangcab”, “.mod”, “.scr”, “.theme”, “.ocx”, “.prf”, “.cab”, “.diagcfg”, “.msu”, “.cmd”, “.ico”, “.msc”, “.ani”, “.icns”, “.diagpkg”, “.deskthemepack”, “.wpx”, “.msp”, “.bin”, “.themepack”, “.shs”, “.nls”, “.exe”, “.lnk”, “.ps1”, “.rmallox” |
Terminated processes | Organized in Reference data |
Terminated services | Organized in Reference data |
C&C URL | hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php |
Others | Deletes volume shadow copies. Deactivates the termination feature. |
Mallox first utilizes the following commands to delete volume shadow copies and disable Windows recovery-related features.
> cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures > cmd.exe /c bcdedit /set {current} recoveryenabled no > vssadmin.exe delete shadows /all /quiet |
Additionally, Mallox forcibly terminates processes and services that interfere with file encryption, such as databases, virtual environments, and backup solutions. Furthermore, Mallox sets registry keys to disable shutdown, restart, and logout buttons, as well as disabling the shutdown function on the logon screen, thereby obstructing users from powering off or rebooting the system during the encryption process.
Configured Registries | Description |
---|---|
HKLMSOFTWAREMicrosoftPolicyManagerdefaultStartHideShutDown / value / 0x00000001 HKLMSOFTWAREMicrosoftPolicyManagerdefaultStartHideRestart / value / 0x00000001 HKLMSOFTWAREMicrosoftPolicyManagerdefaultStartHideSignOut / value / 0x00000001 |
Deactivates the shutdown, restart, and logout buttons |
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem / shutdownwithoutlogon / 0x00000000 | Deactivates shutdown function on the logon screen |
HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / MaxConnectionTime / 0x00000000 HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / MaxDisconnectionTime / 0x00000000 HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / MaxIdleTime / 0x00000000 |
Restricts remote desktop connection |
Mallox supports a feature to propagate itself by accessing shared folders. Additionally, it collects basic information from infected systems and sends it to the C&C server.
Once these steps are completed, Mallox generates the following ransom note and proceeds to encrypt the files on the system.
4. Comparison with Previous BlueSky Attack Case
The remote screen control malware used in the attack is suspected to be custom-made by the threat group or an unknown malware, rather than being open-source or a known tool. This malware was first identified around December 2022 at the earliest, and apart from the type and C&C server address identified in this instance, they are practically identical.
The C&C server address of the malware distributed around December 2022 is identical to the C&C server address identified in a previous attack case covered in The DFIR Report [6]. In this attack case as well, the threat actor targeted improperly managed MS-SQL servers that were externally exposed, and initiated their attack with a brute force attack on the administrator account (SA account).
Subsequently, the threat actor installed Cobalt Strike to control the infected systems, through which they deployed the Tor2Mine CoinMiner and BlueSky ransomware. Each attack utilized the same method of targeting MS-SQL servers, and they all involved the use of newly identified malware. Therefore, it is presumed that the previous BlueSky ransomware and Tor2Mine CoinMiner attack cases were also carried out by the TargetCompany threat group [7].
5. Conclusion
Attack campaigns where the Mallox ransomware is installed on poorly managed MS-SQL servers are continuously being discovered. Following their initial attack, the TargetCompany ransomware group installed Remcos RAT and remote screen control malware. Additionally, they attempted to install the Mallox ransomware on another system to encrypt the infected system. These attacks are presumed to be the work of the same threat actors who previously targeted MS-SQL servers with Tor2Mine CoinMiners and BlueSky ransomware.
Threat actors that utilize ransomware, such as Mallox, encrypt infected systems and extort sensitive information to threaten the victims to raise profits. Because they employ various techniques for account credential theft and lateral movement, single systems as well as the entire internal company network may be at risk of being compromised, resulting in having sensitive data stolen and systems in the network encrypted.
Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks on systems where account credentials are poorly managed. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.
V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.
File Detection
– Downloader/Win.Agent.C5614241 (2024.04.18.03)
– Backdoor/Win.Remcos.C5607317 (2024.04.03.00)
– Ransomware/Win.Mallox.C5601155 (2024.03.15.01)
– Trojan/Win.Generic.C5352187 (2023.01.07.01)
Behavior Detection
– Execution/MDP.Powershell.M4602
– Ransom/MDP.Decoy.M1171
– Ransom/MDP.Command.M1751
– Ransom/MDP.Event.M1946
IoC
MD5
– 52819909e2a662210ab4307e0f5bf562: Remcos RAT (walkingrpc.bat)
– 20dd8410ff11915a0b1f4a5018c9c340: Remote screen control malware (launcher.exe)
– 09b17832fc76dcc50a4bf20bd1343bb8: Mallox ransomware (360.exe)
– 3297dc417cf85cfcea194f88a044aebd: Remote screen control malware – past case
– ff011e8a1d1858f529e8a4f591dc0f02: Remote screen control malware – past case
C&C Servers
– 80.66.75[.]238:3388: Remcos RAT
– hxxps://80.66.75[.]238:3030: Remote screen control malware
– hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php: Mallox ransomware
– hxxps://5.188.86[.]237:3030: Remote screen control malware – past case
Download URL
– hxxp://42.193.223[.]169/extensioncompabilitynode.exe : Remcos RAT
References
Processes to be terminated
– “sqlserv.exe”, “oracle.exe”, “ntdbsmgr.exe”, “sqlservr.exe”, “sqlwriter.exe”, “MsDtsSrvr.exe”, “msmdsrv.exe”, “ReportingServecesService.exe”, “fdhost.exe”, “fdlauncher.exe”, “mysql.exe”
Services to be terminated
– “SiebelApplicationContainer_Siebel_Home_d_Siebel_sai, “ReportServer$SQLEXPRESS”, “SQL Server Reporting Services”, “SQL Server (MSSQLSERVER)”, “MSSQLFDLauncher”, “SQLSERVERAGENT”, “SQLBrowser”, “SQLTELEMETRY”, “MsDtsServer130”, “SSISTasdRY130”, “MSSQL$WOLTERSKLUWER”, “SQLAgent$PROGID”, “SQLWriter”, “MSSQL$VEEAMSQL2012”, “SQLAgent$VEEAMSQL2012”, “MSSQL”, “SQLAgent”, “MSSQLServerADHelper100”, “MSSQLServerOLAPService”, “MsDtsServer100”, “ReportServer”, “SQLTELEMETRY$HL”, “TMBMServer”, “MSSQL$PROGID”, “XT800Service_Personal”, “AHS SERVICE”, “Sense Shield Service”, “FontCache3.0.0.0”, “OSP Service”, “DAService_TCP”, “eCard-TTransServer”, “wanxiao-monitor”, “vm-agent”, “SyncBASE Service”, “Flash Helper Service”, “Kiwi Syslog Server”, “UWS HiPriv Services”, “UWS LoPriv Services”, “UtilDev Web Server Pro”, “ZTE USBIP Client Guard”, “ZTE USBIP Client”, “ZTE FileTranS”, “Zabbix Agent”, “EasyFZS Server”, “Rpc Monitor”, “Nuo Update Monitor”, “Daemon Service”, “FlexNet Licensing Service 64”, “U8WorkerService2”, “U8MPool”, “U8WebPool”, “U8WorkerService1”, “TongBackupSrv”, “cbVSCService11”, “CobianBackup11”, “MSSQLSERVER”, “MSSQL$”, “vss”, “vmvss”, “MSSQL$FE_EXPRESS”, “SQLANYs_Sage_FAS_Fixed_Assets”, “MSSQL$VIM_SQLEXP”, “QcSoftService”, “VMTools”, “VGAuthService”, “MSDTC”, “TeamViewer”, “RabbitMQ”, “SSMonitorService”, “SSSyncService”, “TPlusStdAppService1300”, “MSSQL$SQL2008”, “SQLAgent$SQL2008”, “TPlusStdTaskService1300”, “TPlusStdUpgradeService1300”, “VirboxWebServer”, “jhi_service”, “LMS”, “eCardMPService”, “EnergyDataService”, “UI0Detect”, “K3MobileService”, “TCPIDDAService”, “WebAttendServer”, “UIODetect”, “VMAuthdService”, “VMUSBArbService”, “VMwareHostd”, “VmAgentDaemon”, “OpenSSHd”, “eSightService”, “apachezt”, “Jenkins”, “secbizsrv”, “MSMQ”, “smtpsvrJT”, “zyb_sync”, “360EntHttpServer”, “360EntSvc”, “360EntClientSvc”, “NFWebServer”, “wampapache”, “MSSEARCH”, “msftesql”, “OracleDBConcoleorcl”, “OracleJobSchedulerORCL”, “OracleMTSRecoveryService”, “OracleOraDb11g_home1ClrAgent”, “OracleOraDb11g_home1TNSListener”, “OracleVssWriterORCL”, “OracleServiceORCL”, “aspnet_state”, “Redis”, “JhTask”, “ImeDictUpdateService”, “MCService”, “allpass_redisservice_port21160”, “ftnlsv3”, “ftnlses3”, “FxService”, “ftusbrdwks”, “ftusbrdsrv”, “wwbizsrv”, “qemu-ga”, “AlibabaProtect”, “ZTEVdservice”, “kbasesrv”, “MMRHookService”, “IpOverUsbSvc”, “KuaiYunTools”, “KMSELDI”, “btPanel”, “Protect_2345Explorer”, “2345PicSvc”, “vmware-converter-agent”, “vmware-converter-server”, “vmware-converter-worker”, “QQCertificateService”, “OracleRemExecService”, “GPSDaemon”, “GPSUserSvr”, “GPSDownSvr”, “GPSStorageSvr”, “GPSDataProcSvr”, “GPSGatewaySvr”, “GPSMediaSvr”, “GPSLoginSvr”, “GPSTomcat6”, “GPSMysqld”, “GPSFtpd”, “BackupExecAgentAccelerator”, “bedbg”, “BackupExecDeviceMediaService”, “BackupExecRPCService”, “BackupExecAgentBrowser”, “BackupExecJobEngine”, “BackupExecManagementService”, “MDM”, “TxQBService”, “Gailun_Downloader”, “RemoteAssistService”, “YunService”, “Serv-U”, “OpenFastAssist”, “asComSvc”, “OfficeUpdateService”, “RtcSrv”, “RTCASMCU”, “FTA”, “MASTER”, “NscAuthService”, “MSCRMUnzipService”, “MSCRMAsyncService$maintenance”, “MSCRMAsyncService”, “REPLICA”, “RTCATS”, “RTCAVMCU”, “RtcQms”, “RTCMEETINGMCU”, “RTCIMMCU”, “RTCDATAMCU”, “RTCCDR”, “ProjectEventService16”, “ProjectQueueService16”, “SPAdminV4”, “SPSearchHostController”, “SPTimerV4”, “SPTraceV4”, “OSearch16”, “ProjectCalcService16”, “c2wts”, “AppFabricCachingService”, “ADWS”, “MotionBoard57”, “MotionBoardRCService57”, “vsvnjobsvc”, “VisualSVNServer”, “BestSyncSvc”, “LPManager”, “MediatekRegistryWriter”, “RaAutoInstSrv_RT2870”, “CobianBackup10”, “SQLANYs_sem5”, “CASLicenceServer”, “SQLService”, “semwebsrv”, “TbossSystem”, “ErpEnvSvc”, “Mysoft.Autoupgrade.DispatchService”, “Mysoft.Autoupgrade.UpdateService”, “Mysoft.Config.WindowsService”, “Mysoft.DataCenterService”, “Mysoft.SchedulingService”, “Mysoft.Setup.InstallService”, “MysoftUpdate”, “edr_monitor”, “abs_deployer”, “savsvc”, “ShareBoxMonitorService”, “ShareBoxService”, “CloudExchangeService”, “CIS”, “EASService”, “KICkSvr”, “U8SmsSrv”, “OfficeClearCache”, “TurboCRM70”, “U8DispatchService”, “U8EISService”, “U8EncryptService”, “U8GCService”, “U8KeyManagePool”, “U8SCMPool”, “U8SLReportService”, “U8TaskService”, “UFAllNet”, “UFReportService”, “UTUService”
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) appeared first on ASEC BLOG.