Keypoints
- TargetCompany actors are compromising exposed or poorly managed MS-SQL servers via brute-force/dictionary attacks against the SA/administrator account.
- After initial access the attackers use SQLPS to execute and install Remcos RAT (version 4.9.3 Light) to establish remote control and C2 connectivity.
- Remcos is used to deploy additional remote-control tooling: a custom remote screen control malware and AnyDesk (MSI) with credentials from the C2, plus created administrator accounts for persistence.
- The malware collects basic system information and sends it to C2 servers before secondary actions.
- On other compromised hosts the adversary later deploys Mallox ransomware, which deletes volume shadow copies, disables recovery, terminates database/backup/virtualization processes, modifies registry shutdown settings, and encrypts files with an “.rmallox” extension.
- Observed C2 and download infrastructure includes 80.66.75[.]238:3388 (Remcos), hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php (Mallox), and a Remcos download URL at hxxp://42.193.223[.]169/extensioncompabilitynode.exe.
MITRE Techniques
- [T1110] Brute Force – Attackers “attacked the MS-SQL server using brute force and dictionary attacks” to gain SA/administrator access.
- [T1059.001] PowerShell – Adversaries leveraged SQLPS (a PowerShell utility) to execute payloads: “distributed by exploiting the SQLPS utility instead of Powershell after taking over the MS-SQL server…”
- [T1219] Remote Access Software – The actor installed Remcos RAT to control systems: “installed Remcos RAT after logging into the SA account.”
- [T1136] Create Account – The remote-control component downloads credentials and “a user account is added with the ID and password of the string and registered as an administrator group.”
- [T1071.001] Application Layer Protocol: Web Protocols – Infected hosts “collect basic information about the infected system and transmit it to the C&C server” over HTTP/S endpoints.
- [T1490] Inhibit System Recovery – Mallox executes commands to disable recovery and remove shadow copies: “bcdedit … recoveryenabled no” and “vssadmin.exe delete shadows /all /quiet”.
- [T1486] Data Encrypted for Impact – The final goal is system encryption using AES variants and appending “.rmallox” to files: “attempted to encrypt the infected system” and uses AES-256/AES-128-CTR.
Indicators of Compromise
- [MD5] malware samples – 52819909e2a662210ab4307e0f5bf562 (Remcos walkingrpc.bat), 09b17832fc76dcc50a4bf20bd1343bb8 (Mallox 360.exe), and 3 more hashes.
- [C2 IP:Port / URL] command-and-control – 80.66.75[.]238:3388 (Remcos), hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php (Mallox C2).
- [Download URL] payload retrieval – hxxp://42.193.223[.]169/extensioncompabilitynode.exe (Remcos download).
- [File names / artifacts] deployed binaries – walkingrpc.bat (Remcos), launcher.exe (remote-control malware), 360.exe (Mallox ransomware).
Within hours the intruders deploy a remote-screen/control component: the malware queries C2 endpoints (/creds, /secret, /desk) to obtain account credentials, an AnyDesk MSI, and a password to configure AnyDesk. The actor adds a local administrator account using the downloaded credentials for persistence, installs/configures AnyDesk (passing parameters to start the service, set password, restart, and obtain the AnyDesk ID), and sends the installed ID back to the C2. The compromised hosts also exfiltrate basic system information to C2 before later stages.
On separate hosts the attacker later installs Mallox ransomware: it deletes volume shadow copies, disables Windows recovery (bcdedit changes), terminates database/backup/virtualization processes, adjusts registry settings to disable shutdown/reboot/logout, and encrypts files (AES-256/AES-128-CTR) appending the “.rmallox” extension; Mallox uses C2 at hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php and creates a ransom note named “HOW TO BACK FILES.txt”. Read more: https://asec.ahnlab.com/ko/64345