КућаУправљање ризицимаMallox Ransomware Deployed Through MS-SQL Honeypot Attack

Mallox Ransomware Deployed Through MS-SQL Honeypot Attack

Објављено на

spot_img

A recent incident involving an MS-SQL (Microsoft SQL) honeypot has brought to light the sophisticated tactics used by cyber-attackers utilizing Mallox ransomware, also known as Fargo, TargetCompany, Mawahelper, among other aliases. The honeypot, which was set up by the Sekoia research team, was targeted by an intrusion set that employed brute-force techniques to deploy the Mallox ransomware through PureCrypter, taking advantage of various vulnerabilities within MS-SQL systems.

Upon closer inspection of the Mallox samples, researchers were able to identify two distinct affiliates using different approaches in their attacks. One affiliate seemed to focus on exploiting specific vulnerable assets, while the other aimed at broader compromises within information systems on a larger scale.

The initial breach of the MS-SQL server was achieved through a brute-force attack targeting the “sa” account, which is the SQL Administrator account, and was successfully compromised within just one hour of deployment. The attacker continued with brute-force attempts throughout the observation period, displaying perseverance and determination in their efforts.

Various exploitation attempts were observed, with the attacker utilizing a range of techniques such as enabling specific parameters, creating assemblies, and executing commands through xp_cmdshell and Ole Automation Procedures. The payloads deployed were linked to PureCrypter, a loader developed in .NET, which then executed the Mallox ransomware. PureCrypter, offered as Malware-as-a-Service by a threat actor operating under the alias PureCoder, employs multiple evasion techniques to avoid detection and analysis.

The Mallox group, which operates as a Ransomware-as-a-Service operation distributing the Mallox ransomware, has been active since at least June 2021. The group adopts a double extortion strategy, threatening to both encrypt and publish stolen data to extort victims.

The research also emphasized the role of affiliates within the Mallox operation, highlighting users such as Maestro, Vampire, and Hiervos, each employing different tactics and ransom demands. Additionally, the study raised concerns regarding the hosting company Xhost Internet, associated with AS208091, which has previously been linked to ransomware activities.

While there are currently no concrete links to cybercrime-related activities, the recurring involvement of AS208091 in ransomware incidents and the extended monitoring of the IP address have piqued suspicion. Analysts at Sekoia.io have committed to ongoing monitoring of activities related to this AS in order to investigate any associated operations further.

In conclusion, the incident involving the MS-SQL honeypot and the infiltration by cyber-attackers utilizing Mallox ransomware serves as a stark reminder of the ever-evolving tactics employed by malicious actors in the digital realm. The research conducted by the Sekoia team sheds light on the complex strategies and operations of ransomware groups like Mallox and underscores the need for continued vigilance and proactive cybersecurity measures to combat such threats effectively.

Извор линк

Најновији чланци

LockBit hackers announce successful breach of US Federal Reserve

The LockBit cybercrime gang has made a bold claim of stealing a massive database...

Key Insights from the British Library Cyberattack

The British Library encountered a severe cyberattack in October 2023, resulting in the shutdown...

CISA Confirms Cyberattack on Critical Chemical Security Tool – Source: www.databreachtoday.com

The U.S. cyber defense agency, CISA, disclosed on Monday that a critical tool containing...

Cyber crime on the rise: nearly 120% increase in four years

The cybercrime rates in Scotland have seen a significant increase, with an estimated 16,910...

Више овако

LockBit hackers announce successful breach of US Federal Reserve

The LockBit cybercrime gang has made a bold claim of stealing a massive database...

Key Insights from the British Library Cyberattack

The British Library encountered a severe cyberattack in October 2023, resulting in the shutdown...

CISA Confirms Cyberattack on Critical Chemical Security Tool – Source: www.databreachtoday.com

The U.S. cyber defense agency, CISA, disclosed on Monday that a critical tool containing...
sr_RSSerbian