A recent incident involving an MS-SQL (Microsoft SQL) honeypot has brought to light the sophisticated tactics used by cyber-attackers utilizing Mallox ransomware, also known as Fargo, TargetCompany, Mawahelper, among other aliases. The honeypot, which was set up by the Sekoia research team, was targeted by an intrusion set that employed brute-force techniques to deploy the Mallox ransomware through PureCrypter, taking advantage of various vulnerabilities within MS-SQL systems.

Upon closer inspection of the Mallox samples, researchers were able to identify two distinct affiliates using different approaches in their attacks. One affiliate seemed to focus on exploiting specific vulnerable assets, while the other aimed at broader compromises within information systems on a larger scale.

The initial breach of the MS-SQL server was achieved through a brute-force attack targeting the “sa” account, which is the SQL Administrator account, and was successfully compromised within just one hour of deployment. The attacker continued with brute-force attempts throughout the observation period, displaying perseverance and determination in their efforts.

Various exploitation attempts were observed, with the attacker utilizing a range of techniques such as enabling specific parameters, creating assemblies, and executing commands through xp_cmdshell and Ole Automation Procedures. The payloads deployed were linked to PureCrypter, a loader developed in .NET, which then executed the Mallox ransomware. PureCrypter, offered as Malware-as-a-Service by a threat actor operating under the alias PureCoder, employs multiple evasion techniques to avoid detection and analysis.

The Mallox group, which operates as a Ransomware-as-a-Service operation distributing the Mallox ransomware, has been active since at least June 2021. The group adopts a double extortion strategy, threatening to both encrypt and publish stolen data to extort victims.

The research also emphasized the role of affiliates within the Mallox operation, highlighting users such as Maestro, Vampire, and Hiervos, each employing different tactics and ransom demands. Additionally, the study raised concerns regarding the hosting company Xhost Internet, associated with AS208091, which has previously been linked to ransomware activities.

While there are currently no concrete links to cybercrime-related activities, the recurring involvement of AS208091 in ransomware incidents and the extended monitoring of the IP address have piqued suspicion. Analysts at Sekoia.io have committed to ongoing monitoring of activities related to this AS in order to investigate any associated operations further.

In conclusion, the incident involving the MS-SQL honeypot and the infiltration by cyber-attackers utilizing Mallox ransomware serves as a stark reminder of the ever-evolving tactics employed by malicious actors in the digital realm. The research conducted by the Sekoia team sheds light on the complex strategies and operations of ransomware groups like Mallox and underscores the need for continued vigilance and proactive cybersecurity measures to combat such threats effectively.

Извор линк