Mallox Ransomware Deployed Via MS-SQL Honeypot Attack

Written by

A recent incident involving an MS-SQL (Microsoft SQL) honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware (also known as Fargo, TargetCompany, Mawahelper, etc.).

The honeypot, set up by the Sekoia research team, was targeted by an intrusion set utilizing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting various MS-SQL vulnerabilities.

Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches. One focused on exploiting vulnerable assets, while the other aimed at broader compromises of information systems on a larger scale.

Initial access to the MS-SQL server occurred through a brute-force attack targeting the “sa” account (SQL Administrator), which was compromised within an hour of deployment. The attacker persisted in brute-forcing throughout the observation period, indicating a determined effort.

Exploitation attempts were observed, with distinct patterns identified. The attacker leveraged various techniques, including enabling specific parameters, creating assemblies and executing commands via xp_cmdshell and Ole Automation Procedures.

The payloads corresponded to PureCrypter, a loader developed in .NET, which subsequently executed the Mallox ransomware. PureCrypter, sold as a Malware-as-a-Service by a threat actor operating under the alias PureCoder, employs various evasion techniques to avoid detection and analysis.

Read more on PureCrypter: Governments Under Attack: Examining a New PureCrypter Campaign

The Mallox group, a Ransomware-as-a-Service operation distributing the namesake ransomware, has been active since at least June 2021. The group utilizes a double extortion strategy, threatening to publish stolen data in addition to encrypting it.

The research also highlights the role of affiliates in the Mallox operation, particularly focusing on users such as Maestro, Vampire and Hiervos, who exhibit different tactics and ransom demands.

Furthermore, the research raises suspicions regarding the hosting company Xhost Internet, linked to AS208091, which has been associated with ransomware activity in the past. 

“While formal links with cybercrime-related activities remain unproven, the involvement of this AS previous instances of ransomware compromise and the longevity of the IP address monitoring is intriguing,” reads the technical write-up. “Sekoia.io analysts will continue to monitor activities associated with this AS and to investigate the related operations.”

What’s hot on Infosecurity Magazine?