Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label PureCrypter. Show all posts
Vulnerabilities and Exploits
Honeypot MS SQL servers PureCrypter ransomware attacks Vulnerabilities and Exploits

Cyber Criminals Exploiting MS-SQL Severs To Deploy Mallox Ransomware

 

The MS-SQL (Microsoft SQL) honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware (also known as Fargo, TargetCompany, Mawahelper, etc.). 

The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting multiple MS-SQL vulnerabilities. 

Upon analysing Mallox samples, the researchers detected two different affiliates that had different goals: one was more interested in taking advantage of vulnerabilities in the system, while the other sought larger-scale breaches of information systems. 

The "sa" account (SQL Administrator) was the target of the initial brute-force attack that gained access to the MS-SQL server. The attack was successful within an hour of its deployment. Throughout the monitoring period, the attacker continued to use brute-forcing, displaying an intense effort. 

There were attempts at exploitation, and certain trends were found. The attacker used a number of strategies, including enabling specific options, building assemblies, and using Ole Automation Procedures and xp_cmdshell to execute commands. The payloads linked to a.NET loader called PureCrypter, which in turn launched the Mallox ransomware. A threat actor going by the identity PureCoder sells PureCrypter as Malware-as-a-Service. It uses a number of evasion strategies to evade detection and analysis. 

Active since at least June 2021, the Mallox group is a malware-as-a-Service organisation that spreads malware bearing the same name. The gang employs a dual extortion tactic, both by encrypting stolen material and threatening to reveal it. The research also emphasises the role of affiliates in the Mallox network, focusing on users with unique tactics and ransom demands including Maestro, Vampire, and Hiervos. 

Additionally, the research casts suspicion on AS208091, the hosting provider Xhost Internet, which has previously been linked to ransomware activities. 

“While formal links with cybercrime-related activities remain unproven, the involvement of this AS previous instances of ransomware compromise and the longevity of the IP address monitoring is intriguing,” reads the blog post . “Sekoia.io analysts will continue to monitor activities associated with this AS and to investigate the related operations.”
Read more »
Ransomware
Cyber Attacks Cyberattacks Cybersecurity Government Malware attacks PureCrypter Ransomware

Info-stealer Ransomware hit Government Organisations

 


Threat actors have targeted government entities with the PureCrypter malware downloader, which is used to deliver several information stealers and ransomware variants to targeted entities.  

According to a study conducted by researchers at Menlo Security, the initial payload of this attack was hosted on Discord by the threat actor. A non-profit organization was compromised to store more hosts for the campaign. 

Several different types of malware were delivered via the campaign, including Redline Stealer, Agent Tesla, Eternity, Black Moon, and Philadelphia Ransomware, researchers said in a statement. 

Several government organizations in the Asia Pacific (APAC) and North American regions have been targeted by PureCrypter's marketing campaign, according to researchers. 

Steps Involved in an Attack 

Firstly, the attacker sends an email with a Discord app link pointing to a password-protected ZIP archive containing a PureCrypter sample, which is then used to launch the attack. 

As of March 2021, PureCrypter began to become popular in the wild as a .NET malware downloader. Various types of malware are distributed by its operator on behalf of other cybercriminals through the use of the software. 

There is no content within this file, so when it is executed, it will deliver the next-stage payload from the compromised server of a non-profit organization, which in this case is a compromised command and control server.  

Researchers from Menlo Security examined Agent Tesla as the sample in their study. A Pakistan-based FTP server is connected to the Trojan as soon as it is launched, which receives all the stolen information on its server. 

The researchers discovered that when using leaked credentials in a breach, the threat actor took control of a particular FTP server and did not set it up themselves but rather used leaks of credentials to do so. As a result, the risk of identification was reduced and traceability was minimized. 

The Use of Agent Tesla Continues 

Cybercriminals use a malware family called Agent Tesla in their efforts to compromise Windows systems. In October 2020 and January 2021, it reached its peak in terms of usage. 

In a recent report released by Cofense, the company highlights the fact that Agent Tesla remains one of the most cost-effective and highly-capable backdoors in the market, and it has undergone continuous improvements and development during its lifespan.

Defense Intelligence recorded roughly one-third of all keylogger reports recorded by Defense Intelligence in the year 2022, which may be indicative of Tesla's keylogging activities. 

As a result of malware, the following capabilities can be observed: 

  • To gather sensitive information about the victim such as her password, all keystrokes the victim makes are recorded. 
  • A hacker can break into a web browser, email client, or file transfer application to steal passwords. 
  • The most effective way to protect confidential information on your desktop is to take screenshots of it as you use it. 
  • Obtain user names, passwords, and credit card numbers from the clipboard, as well as access clipboard contents. 
  • Send the stolen data to C2 via any of the following methods: FTP, SMTP, etc.
A feature of the attacks examined by Menlo Labs was that the threat actors managed to avoid detection by antivirus tools by injecting the AgentTesla payload into a legitimate process ("cvtres.exe") using process hollowing. 

Agent Tesla's communications with the C2 server, as well as its configuration files, are also encrypted with XOR. This is to protect them from network traffic monitoring tools used to monitor network traffic. 

According to Menlo Security, the threat actor behind PureCrypter is not one of the big players in the threat landscape. Nevertheless, it is worth taking note of its activities to determine whether or not it is targeting government agencies. 

As a result, it would be expected that the attacker would continue to use the compromised infrastructure for as long as possible before seeking out a new one. 
Read more »
Subscribe to: Posts (Atom)