- AhnLab Security Intelligence Center (ASEC) has recently confirmed cases of the TargetCompany ransomware group installing Mallox ransomware on MS-SQL servers.
- The TargetCompany ransomware group primarily targets poorly managed MS-SQL servers to install Mallox ransomware.
- These attacks have been ongoing for years, but this analysis focuses on the newly discovered malicious code and its connection to previous attacks involving Tor2Mine coin miners and BlueSky ransomware.
- Similar to previous cases, this attack targeted poorly managed MS-SQL servers.
- The attackers used indiscriminate brute force attacks and pre-attack techniques to target MS-SQL servers.
While monitoring recent attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) confirmed a case in which the TargetComapny ransomware group was installing Mallox ransomware. The TargetComapny ransomware group mainly attacks improperly managed MS-SQL servers to install Mallox ransomware. These attacks have been going on for several years, but here we summarize the connection with past attacks that distributed Tor2Mine coin miners and BlueSky ransomware through newly confirmed malware.
Similar to previous cases, this attack targeted an improperly managed MS-SQL server. The attacker is believed to have attacked the MS-SQL server using brute force and dictionary attacks, and installed Remcos RAT after logging into the SA account. Four hours after the attack, additional remote screen control malware was installed using Remcos RAT. It is presumed that the attacker investigated the infected system and stole information through these malicious codes. And in another attack, after 29 hours, Mallox ransomware was installed and attempted to encrypt the infected system.
1. Remcos RAT
Remcos is a commercial remote administration tool sold as a tool for remote administration. However, like other RAT (Remote Access Trojan) malware, it supports malicious functions such as keylogging, screenshot capture, webcam and microphone control, as well as the history and password extraction function of the web browser existing on the system, making it vulnerable to various attackers. They are using this. [One]
Remcos is often distributed by disguising attachments or cracks in spam emails, but it is also frequently used in conjunction with Cobalt Strike to control infected systems in attacks targeting improperly managed MS-SQL servers. [2] Around May 2023, it was distributed by exploiting the SQLPS utility instead of Powershell after taking over the MS-SQL server to bypass the detection of security products.
The attack confirmed this time also targeted an improperly managed server, and the SQLPS tool was used in the process of installing the malware.
The Remcos RAT used in the attack is version 4.9.3 Light. Unlike the Pro version, the Light version does not support features such as keylogging or screenshot capture. The following is some of the configuration data and representative settings decrypted while running in Remcos RAT.
| setting | data |
|---|---|
| Host:Port:Password | 80.66.75[.]238:3388:1 |
| Assigned name | RemoteHost |
| Connect interval | One |
| Mutex | Rmc-8P1R4F |
| Keylog flag | Disabled |
| Keylog path | Application path |
| Keylog file | logs.dat |
| Screenshot flag | Disabled |
| Screenshot time | 10 |
| Screenshot path | AppData |
| Screenshot file | Screenshots |
| Audio record time | 5 |
| Audio folder | MicRecords |
| Copy folder | Remcos |
| Keylog folder | remcos |
Table 1. Some of the configuration data of Remcos RAT [3]
The attacker installed additional malware through Remcos RAT, and the first one installed was malware that could control the infected system using AnyDesk and the added user account. This appears to be for smooth remote control since the Remcos used in the attack is a light version. Additionally, in another attack, an attempt was made to encrypt the infected system by installing Mallox ransomware after about 29 hours.
2. Remote screen control malware
Four hours after the initial infection, the attacker used Remcos RAT to install malware that added remote control functions. The malware first connects to the “creds” address of the C&C server and downloads a string. Although connection to the C&C server is not possible at the time of analysis, it is presumed that a string in the “ID;PW” format could be downloaded, and a user account is added with the ID and password of the string and registered as an administrator group.
| URL | explanation |
|---|---|
| https:// {C&C server}/creds | Download the user account string to add (ID;PW format) |
| https:// {C&C server}/secret | Download the password string to be specified when installing AnyDesk |
| https:// {C&C server}/desk | Download AnyDesk installation file (MSI) |
| https:// {C&C server}/gate/{AnyDesk_ID} | Send ID of installed AnyDesk |
Table 2. Communication method with C&C server
Afterwards, access the “secret” address and download the string, which is the password to be specified after installing AnyDesk. Also, check whether the “\AnyDeskMSI\AnyDeskMSI.exe” file exists in the Program Files path. If AnyDesk is not installed, download the AnyDesk installation file in MSI format from the “desk” address and install it. After completing the process up to this point, set the password downloaded from the C&C server to AnyDesk and obtain the ID of the installed AnyDesk. Finally, the ID obtained in this way is delivered to the “gate” address.
| factor | explanation |
|---|---|
| –start-service | Start AnyDesk service |
| –set-password | Set password in AnyDesk |
| –restart-service | Restart AnyDesk service |
| –get-id | Obtain ID of installed AnyDesk |
Table 3. Parameters used in the AnyDesk installation process
The attacker could have accessed the infected system using the AnyDesk ID received from the C&C server and controlled the infected system by authenticating with the password sent as “secret”. Additionally, with the added account information, it would have been possible to remotely control the screen by logging into the infected system via RDP, or remote desktop.
3. Mallox ransomware
Mallox ransomware, along with Trigona and BlueSky ransomware, is one of the representative ransomwares that attacks improperly managed MS-SQL servers. [4] The attacker also installed Mallox ransomware using Remcos RAT malware on another system.
| outline | explanation |
|---|---|
| encryption algorithm | AES-256 / SHA-256,AES-128-CTR [5] |
| encryption extension | “.rmallox” |
| Ransom note name | “HOW TO BACK FILES.txt” |
| Priority Encryption Extension | “.bak”, “.zip”, “.rar”, “.7z”, “.gz”, “.sql”, “.mdf”, “.hdd”, “.vhd”, “.vdi”, “.vmx”, “.vmdk”, “.nvram”, “.vmem”, “.vmsn”, “.vmsd”, “.vmss”, “.lck”, “.vhdx”, “.vhd”, “.dbf”, “.ora”, “.oraenv”, “.dmp”, “.ibd”, “.mdb”, “.smd”, “.mdb” |
| Encryption Exclusion Path | “msocache”, “$windows.~ws”, “system volume information”, “intel”, “appdata”, “perflogs”, “programdata”, “google”, “application data”, “tor browser”, “boot ”, “$windows.~bt”, “mozilla”, “boot”, “windows.old”, “Windows Microsoft.NET”, “WindowsPowerShell”, “Windows NT”, “Windows”, “Common Files”, “ “Microsoft Security Client”, “Internet Explorer”, “Reference”, “Assemblies”, “Windows Defender”, “Microsoft ASP.NET”, “Core Runtime”, “Package”, “Store”, “Microsoft Help Viewer”, “ “Microsoft MPI”, “Windows Kits”, “Microsoft.NET”, “Windows Mail”, “Microsoft Security Client”, “Package Store”, “Microsoft Analysis Services”, “Windows Portable Devices”, “Windows Photo Viewer”, “ “Windows Sidebar” |
| Files excluded from encryption | “desktop.ini”, “ntuser.dat”, “thumbs.db”, “iconcache.db”, “ntuser.ini”, “ntldr”, “bootfont.bin”, “ntuser.dat.log”, “bootsect .bak”, “boot.ini”, “autorun.inf”, “debugLog.txt”, “TargetInfo.txt” |
| Extensions excluding encryption | “.msstyles”, “.icl”, “.idx”, “.avast”, “.rtp”, “.mallox”, “.sys”, “.nomedia”, “.dll”, “.hta”, “.cur”, “.lock”, “.cpl”, “.Globeimposter-Alpha865qqz”, “.ics”, “.hlp”, “.com”, “.spl”, “.msi”, “.key ”, “.mpa”, “.rom”, “.drv”, “.bat”, “.386”, “.adv”, “.diangcab”, “.mod”, “.scr”, “.theme ”, “.ocx”, “.prf”, “.cab”, “.diagcfg”, “.msu”, “.cmd”, “.ico”, “.msc”, “.ani”, “.icns ”, “.diagpkg”, “.deskthemepack”, “.wpx”, “.msp”, “.bin”, “.themepack”, “.shs”, “.nls”, “.exe”, “.lnk ”, “.ps1”, “.rmallox” |
| Terminate target process | Summary in reference materials |
| Services subject to termination | Summary in reference materials |
| C&C Address | hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php |
| etc | Delete volume shadow. Disable shutdown function. |
Table 4. Mallox ransomware
Mallox ransomware first deletes volume shadow copies and disables Windows recovery-related functions using the following commands.
| > cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures > cmd.exe /c bcdedit /set {current} recoveryenabled no > vssadmin.exe delete shadows /all /quiet |
It also forcibly terminates processes and services that interfere with file encryption, such as databases, virtualization, and backup solutions. Mallox also sets the following registry keys to prevent users from powering off or rebooting the system during the encryption process, such as disabling the shutdown, reboot, and logout buttons and disabling the shutdown function on the logon screen.
| Setting Target Registry | explanation |
|---|---|
| HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown / value / 0x00000001 HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart / value / 0x00000001 HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut / value / 0x00000001 | Disable Shutdown, Reboot, and Logout Buttons |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /shutdownwithoutlogon /0x00000000 | Disable Shutdown feature on logon screen |
| HKLM\SOFTWARE\Policies\Microsoft\Windows NT \Terminal Services / MaxConnectionTime / 0x00000000 0x00000000 | Remote Desktop Connection Limitations |
Table 5. Registry modification
Mallox supports the ability to spread itself by accessing shared folders, and also collects basic information about the infected system and transmits it to the C&C server.
Once the process up to this point is completed, the following ransom note is created and the files in the system are encrypted.
4. Comparison with past BlueSky attack cases
The remote screen control malware used in the attack is presumed to be either created by the attacker itself or not yet known, rather than an open source or known tool. The malware was first confirmed at least around December 2022, and is substantially the same except for the newly confirmed type and C&C server address.
The C&C server address of the malware distributed around December 2022 is the same as the C&C server address confirmed in the attack case previously covered in The DFIR Report. [6] In this attack case, the attacker attacked an MS-SQL server that was exposed to the outside and was improperly managed, and started with a brute force attack on the administrator, or SA account.
Afterwards, the attacker installed Cobalt Strike to control the infected system and used it to install the Tor2Mine coin miner and BlueSky ransomware. Each attack has something in common: the same attack method, MS-SQL server, was used, and newly identified malicious code was used. In other words, past cases of BlueSky ransomware and Tor2Mine coin miner attacks are also presumed to be the work of the TargetComapny attacker.
5. Conclusion
Cases of attacks that install Mallox ransomware targeting improperly managed MS-SQL servers are continuously being confirmed. After the initial attack, the TargetCompany ransomware group installed Remcos RAT and remote screen control malware, and also attempted to encrypt the infected system by installing Mallox ransomware on another system. The attack is believed to be the work of an attacker who previously attacked MS-SQL servers with Tor2Mine coin miner and BlueSky ransomware.
Ransomware attackers such as Mallox use the method of encrypting infected systems and stealing sensitive information to blackmail them for profit. In addition, as various techniques are attempted to steal and move credential information, companies can take over not only a single system but also the entire company’s internal network, leading to the company’s sensitive information being stolen and systems within the network being encrypted.
Typical attacks targeting MS-SQL servers include brute forcing and dictionary attacks against systems that improperly manage account information. Administrators should protect database servers from brute force and dictionary attacks by using account passwords that are difficult to guess and changing them periodically.
You should also be careful to prevent malware infection in advance by updating V3 to the latest version. Additionally, access from external attackers must be controlled using security products such as firewalls for database servers that are open and accessible to the outside. If the above measures are not taken first, continued infections may occur due to attackers and malicious codes.
File diagnosis
– Downloader/Win.Agent.C5614241 (2024.04.18.03)
– Backdoor/Win.Remcos.C5607317 (2024.04.03.00)
– Ransomware/Win.Mallox.C5601155 (2024.03.15.01)
– Trojan/Win.Generic.C535218 7 ( 2023.01.07.01)
Behavioral Diagnostics
– Execution/MDP.Powershell.M4602
– Ransom/MDP.Decoy.M1171
– Ransom/MDP.Command.M1751
– Ransom/MDP.Event.M1946
IoC
MD5
– 52819909e2a662210ab4307e0f5bf562 : Remcos RAT (walkingrpc.bat)
– 20dd8410ff11915a0b1f4a5018c9c340 : Remote screen control malware (launcher.exe)
– 09b17832fc76dcc50a4bf20bd 1343bb8: Mallox ransomware (360.exe)
– 3297dc417cf85cfcea194f88a044aebd: Remote screen control malware – Past case
– ff011e8a1d1858f529e8a4f591dc0f02: Remote screen control malware – past cases
C&C server
– 80.66.75[.]238:3388 : Remcos RAT
– hxxps://80.66.75[.]238:3030 : Remote screen control malware
– hxxp://91.215.85[.]142/QWEwqdsvsf/ ap.php: Mallox ransomware
– hxxps://5.188.86[.]237:3030: Remote screen control malware – past cases
Download address
– hxxp://42.193.223[.]169/extensioncompabilitynode.exe: Remcos RAT
References
Terminate target processes
– “sqlserv.exe”, “oracle.exe”, “ntdbsmgr.exe”, “sqlservr.exe”, “sqlwriter.exe”, “MsDtsSrvr.exe”, “msmdsrv.exe”, “ReportingServecesService” .exe”, “fdhost.exe”, “fdlauncher.exe”, “mysql.exe”
Services subject to termination
– “SiebelApplicationContainer_Siebel_Home_d_Siebel_sai, “ReportServer$SQLEXPRESS”, “SQL Server Reporting Services”, “SQL Server (MSSQLSERVER)”, “MSSQLFDLauncher”, “SQLSERVERAGENT”, “SQLBrowser”, “SQLTELEMETRY”, “MsDtsServer130”, “SSISTasdRY130”, “ MSSQL$WOLTERSKLUWER”, “SQLAgent$PROGID”, “SQLWriter”, “MSSQL$VEEAMSQL2012”, “SQLAgent$VEEAMSQL2012”, “MSSQL”, “SQLAgent”, “MSSQLServerADHelper100”, “MSSQLServerOLAPService”, “MsDtsServer100”, “ReportServer” , “SQLTELEMETRY$HL”, “TMBMServer”, “MSSQL$PROGID”, “XT800Service_Personal”, “AHS SERVICE”, “Sense Shield Service”, “FontCache3.0.0.0”, “OSP Service”, “DAService_TCP”, “ eCard-TTransServer”, “wanxiao-monitor”, “vm-agent”, “SyncBASE Service”, “Flash Helper Service”, “Kiwi Syslog Server”, “UWS HiPriv Services”, “UWS LoPriv Services”, “UtilDev Web Server Pro”, “ZTE USBIP Client Guard”, “ZTE USBIP Client”, “ZTE FileTranS”, “Zabbix Agent”, “EasyFZS Server”, “Rpc Monitor”, “Nuo Update Monitor”, “Daemon Service”, “FlexNet Licensing” Service 64”, “U8WorkerService2”, “U8MPool”, “U8WebPool”, “U8WorkerService1”, “TongBackupSrv”, “cbVSCService11”, “CobianBackup11”, “MSSQLSERVER”, “MSSQL$”, “vss”, “vmvss”, “ MSSQL$FE_EXPRESS”, “SQLANYs_Sage_FAS_Fixed_Assets”, “MSSQL$VIM_SQLEXP”, “QcSoftService”, “VMTools”, “VGAuthService”, “MSDTC”, “TeamViewer”, “RabbitMQ”, “SSMonitorService”, “SSSyncService”, “TPlusStdAppService1300” , “MSSQL$SQL2008”, “SQLAgent$SQL2008”, “TPlusStdTaskService1300”, “TPlusStdUpgradeService1300”, “VirboxWebServer”, “jhi_service”, “LMS”, “eCardMPService”, “EnergyDataService”, “UI0Detect”, “K3MobileService”, “ TCPIDDAService”, “WebAttendServer”, “UIODetect”, “VMAuthdService”, “VMUSBArbService”, “VMwareHostd”, “VmAgentDaemon”, “OpenSSHd”, “eSightService”, “apachezt”, “Jenkins”, “secbizsrv”, “MSMQ” , “smtpsvrJT”, “zyb_sync”, “360EntHttpServer”, “360EntSvc”, “360EntClientSvc”, “NFWebServer”, “wampapache”, “MSSEARCH”, “msftesql”, “OracleDBConcoleorcl”, “OracleJobSchedulerORCL”, “OracleMTSRecoveryService”, “ OracleOraDb11g_home1ClrAgent”, “OracleOraDb11g_home1TNSListener”, “OracleVssWriterORCL”, “OracleServiceORCL”, “aspnet_state”, “Redis”, “JhTask”, “ImeDictUpdateService”, “MCService”, “allpass_redisservice_port21160”, “ftnlsv3”, “ftnlses3” , “FxService” , “ftusbrdwks”, “ftusbrdsrv”, “wwbizsrv”, “qemu-ga”, “AlibabaProtect”, “ZTEVdservice”, “kbasesrv”, “MMRHookService”, “IpOverUsbSvc”, “KuaiYunTools”, “KMSELDI”, “btPanel” , “Protect_2345Explorer”, “2345PicSvc”, “vmware-converter-agent”, “vmware-converter-server”, “vmware-converter-worker”, “QQCertificateService”, “OracleRemExecService”, “GPSDaemon”, “GPSUserSvr”, “ GPSDownSvr”, “GPSStorageSvr”, “GPSDataProcSvr”, “GPSGatewaySvr”, “GPSMediaSvr”, “GPSLoginSvr”, “GPSTomcat6”, “GPSMysqld”, “GPSFtpd”, “BackupExecAgentAccelerator”, “bedbg”, “BackupExecDeviceMediaService”, “BackupExecRP CService” , “BackupExecAgentBrowser”, “BackupExecJobEngine”, “BackupExecManagementService”, “MDM”, “TxQBService”, “Gailun_Downloader”, “RemoteAssistService”, “YunService”, “Serv-U”,“OpenFastAssist”, “asComSvc”, “OfficeUpdateService”, “RtcSrv”, “RTCASMCU”, “FTA”, “MASTER”, “NscAuthService”, “MSCRMUnzipService”, “MSCRMAsyncService$maintenance”, “MSCRMAsyncService”, “REPLICA”, “RTCATS”, “RTCAVMCU”, “RtcQms”, “RTCMEETINGMCU”, “RTCIMMCU”, “RTCDATAMCU”, “RTCCDR”, “ProjectEventService16”, “ProjectQueueService16”, “SPAdminV4”, “SPSearchHostController”, “SPTimerV4”, “SPTraceV4 ”, “OSearch16”, “ProjectCalcService16”, “c2wts”, “AppFabricCachingService”, “ADWS”, “MotionBoard57”, “MotionBoardRCService57”, “vsvnjobsvc”, “VisualSVNServer”, “BestSyncSvc”, “LPManager”, “MediatekRegistryWriter”, “RaAutoInstSrv_RT2870”, “CobianBackup10”, “SQLANYs_sem5”, “CASLicenceServer”, “SQLService”, “semwebsrv”, “TbossSystem”, “ErpEnvSvc”, “Mysoft.Autoupgrade.DispatchService”, “Mysoft.Autoupgrade.UpdateService”, “Mysoft .Config.WindowsService”, “Mysoft.DataCenterService”, “Mysoft.SchedulingService”, “Mysoft.Setup.InstallService”, “MysoftUpdate”, “edr_monitor”, “abs_deployer”, “savsvc”, “ShareBoxMonitorService”, “ShareBoxService”, “CloudExchangeService”, “CIS”, “EASService”, “KICkSvr”, “U8SmsSrv”, “OfficeClearCache”, “TurboCRM70”, “U8DispatchService”, “U8EISService”, “U8EncryptService”, “U8GCService”, “U8KeyManagePool”, “U8SCMPool” ”, “U8SLReportService”, “U8TaskService”, “UFAllNet”, “UFReportService”, “UTUService”
https://asec.ahnlab.com/ko/64345