Threat Research

TargetCompany’s Attacks on MS-SQL Servers: Mallox and BlueSky Ransomware Analysis

Ahnlab

ASEC analyzed TargetCompany’s attacks on MS-SQL servers, revealing a campaign that installs Mallox ransomware after initial access via brute force, Remcos RAT, and remote control tools like AnyDesk. The activity links Mallox, BlueSky, and Tor2Mine campaigns under one actor, highlighting poorly managed MS-SQL servers as a repeat entry point. #Mallox #BlueSky #Tor2Mine #Remcos #AnyDesk #MS-SQL #TargetCompany

Keypoints

  • The TargetCompany group targets poorly managed MS-SQL servers using brute force and dictionary attacks on the SA account to gain access.
  • Remcos RAT is installed after initial access, with remote screen control malware added a few hours later to continue operations and potential data exfiltration.
  • Mallox ransomware is repeatedly deployed and observed attempting encryption on infected hosts, with prior links to BlueSky and Tor2Mine campaigns.
  • AnyDesk is installed via a C2-driven process to enable ongoing remote control, including creation of a new admin user for persistence.
  • The attackers leverage a C2 channel to download credentials, AnyDesk MSI, and related commands, illustrating a multi-stage, multi-tool intrusion chain.
  • Defensive guidance emphasizes strong passwords, promptly applying updates, restricting external DB server access, and monitoring for brute-force attempts on MS-SQL servers.

MITRE Techniques

  • [T1110] Brute Force – Targeted the MS-SQL server with brute force and dictionary attacks, subsequently logging into the SA account. [‘The threat group targeted the MS-SQL server with brute force and dictionary attacks, subsequently installing Remcos RAT after logging into the SA account.’]
  • [T1059.001] PowerShell – Used the SQLPS utility instead of PowerShell to install malware, aiding evasion. [‘the SQLPS tool was used during the malware installation process.’]
  • [T1136] Create Account – Created a new user and registered it to the administrator group to maintain access. [‘to add a user account and register it to the administrator group.’]
  • [T1021.001] Remote Services – Remcos RAT and remote-control malware enable login and remote screen control after infection. [‘log in to the infected system via Remote Desktop Protocol (RDP) and perform remote screen control.’]
  • [T1071.001] Web Protocols – C2 traffic uses HTTP(S) endpoints (creds/secret/desk/gate) to fetch credentials and install AnyDesk, showing application-layer C2. [‘Downloads user account string to be added (ID;PW format)’]
  • [T1486] Data Encrypted for Impact – Mallox encryption details (AES-256 / SHA-256, AES-128-CTR). [‘Encryption algorithm AES-256 / SHA-256, AES-128-CTR’]
  • [T1490] Inhibit System Recovery – Deletes volume shadow copies and disables recovery features to hinder recovery. [‘Deletes volume shadow copies. Deactivates the recovery feature.’]
  • [T1021.002] SMB/Windows Admin Shares – Propagates by accessing shared folders for lateral movement. [‘propagate itself by accessing shared folders.’]

Indicators of Compromise

  • [IP Address] Remcos C2 / Remote control – 80.66.75.238:3388, 80.66.75.238:3030
  • [URL] C2 & download endpoints – 91.215.85.142/QWEwqdsvsf/ap.php, 42.193.223.169/extensioncompabilitynode.exe
  • [MD5] File hashes – 52819909e2a662210ab4307e0f5bf562, 20dd8410ff11915a0b1f4a5018c9c340
  • [MD5] Mallox-related – 09b17832fc76dcc50a4bf20bd1343bb8
  • [MD5] Remote screen control malware (past case) – ff011e8a1d1858f529e8a4f591dc0f02
  • [File name] Mallox ransom note – HOW TO BACK FILES.txt
  • [URL] Mallox C2 – hxxp://91.215.85[.]142/QWEwqdsvsf/ap.php

Read more: https://asec.ahnlab.com/en/64921/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint