Search This Blog

Powered by Blogger.

Blog Archive

Labels

Cyber Criminals Exploiting MS-SQL Severs To Deploy Mallox Ransomware

The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing brute-force techniques to deploy the Mallox ransomware.

 

The MS-SQL (Microsoft SQL) honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware (also known as Fargo, TargetCompany, Mawahelper, etc.). 

The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting multiple MS-SQL vulnerabilities. 

Upon analysing Mallox samples, the researchers detected two different affiliates that had different goals: one was more interested in taking advantage of vulnerabilities in the system, while the other sought larger-scale breaches of information systems. 

The "sa" account (SQL Administrator) was the target of the initial brute-force attack that gained access to the MS-SQL server. The attack was successful within an hour of its deployment. Throughout the monitoring period, the attacker continued to use brute-forcing, displaying an intense effort. 

There were attempts at exploitation, and certain trends were found. The attacker used a number of strategies, including enabling specific options, building assemblies, and using Ole Automation Procedures and xp_cmdshell to execute commands. The payloads linked to a.NET loader called PureCrypter, which in turn launched the Mallox ransomware. A threat actor going by the identity PureCoder sells PureCrypter as Malware-as-a-Service. It uses a number of evasion strategies to evade detection and analysis. 

Active since at least June 2021, the Mallox group is a malware-as-a-Service organisation that spreads malware bearing the same name. The gang employs a dual extortion tactic, both by encrypting stolen material and threatening to reveal it. The research also emphasises the role of affiliates in the Mallox network, focusing on users with unique tactics and ransom demands including Maestro, Vampire, and Hiervos. 

Additionally, the research casts suspicion on AS208091, the hosting provider Xhost Internet, which has previously been linked to ransomware activities. 

“While formal links with cybercrime-related activities remain unproven, the involvement of this AS previous instances of ransomware compromise and the longevity of the IP address monitoring is intriguing,” reads the blog post . “Sekoia.io analysts will continue to monitor activities associated with this AS and to investigate the related operations.”
Share it:

Honeypot

MS SQL servers

PureCrypter

ransomware attacks

Vulnerabilities and Exploits