Threat Actors Attacking MS-SQL Servers to Deploy Ransomware

Cybersecurity experts have uncovered a series of sophisticated cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers.

The attackers, identified as the TargetCompany ransomware group, have been deploying the Mallox ransomware in a bid to encrypt systems and extort victims.

This recent campaign draws unsettling parallels with previous attacks involving the Tor2Mine CoinMiner and BlueSky ransomware, signaling a persistent threat to digital security infrastructures.

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

If you want to test all these features now with completely free access to the sandbox:

The TargetCompany group’s modus operandi involves exploiting vulnerabilities in improperly managed MS-SQL servers.

By employing brute force and dictionary attacks, the attackers gain unauthorized access, primarily targeting the SA (System Administrator) account.

Once inside, they deploy the Remcos Remote Access Tool (RAT) to take control of the infected system.

As per the AhnLab Security Intelligence Center (ASEC), there has been a rise in attacks by threat actors on MS-SQL servers to deploy ransomware.

This is followed by the installation of remote screen control malware and, eventually, the Mallox ransomware.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Remcos RAT, a tool marketed for legitimate remote management, has been repurposed by attackers for malicious activities.

Its capabilities include keylogging, screenshot capture, and control over webcams and microphones.

In the recent attacks, a lighter version of Remcos RAT was used, indicating a strategic choice for smoother remote control without raising suspicion.

Below is the configuration data that was decrypted during the execution of Remcos RAT along with a portion of the major configurations.

Following the initial infection, attackers deployed custom-made remote screen control malware.

To get a string, this malware first links to a C&C server’s “creds” address. However, a link to the command and control website could not be made at the time of analysis.

It is thought that the malware was able to download a string in the “ID; PW” format.

After that, this string is used to add a user account and make it part of the supervisor group.

The threat players could get into the infected system using the AnyDesk ID they got from the command and control server.

They could then verify their identity using the password sent through “secret” and take control of the infected system.

Mallox ransomware, known for targeting MS-SQL servers, was then installed to encrypt the system.

It uses a combination of AES-256 and SHA-256 encryption algorithms, appending a “.rmallox” extension to encrypted files.

Mallox has a function that lets it spread by getting into shared folders.

It also gets basic information from computers that are infected and sends it to the command and control site.

The ransomware meticulously avoids encrypting certain file paths and extensions, focusing on those with potentially valuable data.

The attack patterns observed bear a striking resemblance to previous incidents involving the Tor2Mine CoinMiner and BlueSky ransomware.

The use of newly identified malware, targeting strategies, and the C&C server addresses suggest that these attacks are the work of the same threat group.

The continuous discovery of attacks by the TargetCompany group underscores the critical need for robust cybersecurity measures.

Administrators are urged to enforce strong password policies, regularly update their systems, and employ comprehensive security solutions to thwart such threats.

The persistence and sophistication of these attacks highlight the ongoing risk to MS-SQL servers and the broader digital ecosystem.

To assist in the detection and prevention of such attacks, cybersecurity entities have released identifiers for the malware used in these campaigns:

Behavior detection measures have also been updated to identify malicious activities associated with these attacks.

As the digital landscape continues to evolve, so too does the nature of cyber threats.

The recent campaign by the TargetCompany group serves as a stark reminder of the importance of vigilance and proactive security measures in safeguarding against ransomware attacks.

MD5– 52819909e2a662210ab4307e0f5bf562: Remcos RAT (walkingrpc.bat)– 20dd8410ff11915a0b1f4a5018c9c340: Remote screen control malware (launcher.exe)– 09b17832fc76dcc50a4bf20bd1343bb8: Mallox ransomware (360. exe)– 3297dc417cf85cfcea194f88a044aebd: Remote screen control malware – past case– ff011e8a1d1858f529e8a4f591dc0f02: Remote screen control malware – past case

C&C Servers– 80.66.75[.]238:3388: Remcos RAT– hxxps://80.66.75[.]238:3030: Remote screen control malware– hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php: Mallox ransomware– hxxps://5.188.86[.]237:3030: Remote screen control malware – past case

Download URL– hxxp://42.193.223[.]169/extensioncompabilitynode.exe : Remcos RAT

Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role. Key takeaways include:Pricing modelsCost EstimationROI Calculation

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.