Threat Research

Ransomware Spotlight: TargetCompany – Security News

Securonix

TargetCompany ransomware demonstrates a multi-stage attack chain, from exploiting a public-facing application to rapid execution, persistence, and data encryption. The operation leverages WMI, PowerShell, registry-based autostart, service abuse, and extensive defense evasion while dropping Remcos and using Mimikatz remnants. #Remcos #TargetCompany #Mimikatz #GMER

Keypoints

  • Initial access via Exploit Public-Facing Application, with execution of the Remcos loader via WmiPrvSE.exe.
  • Execution includes PowerShell commands (encoded) and Windows CMD actions to terminate services and modify files/registry.
  • Persistence achieved through Registry Run Keys / Startup Folder, startup registry entries, autostart macros, and new services.
  • Defense evasion features include file/dir permission modifications, masquerading as legitimate software (avast.exe), and service/file hijacking techniques.
  • Credential access and discovery involve Mimikatz remnants, system language checks, network scanning, and lateral movement via remote desktop.
  • Impact features encryption with extensive exclusions, deletion of shadow copies, and prevention of recovery; data exfiltration and cleanup actions observed.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “Malware actors take advantage of vulnerable, unmanaged, or misconfigured database servers to gain a foothold on the victim’s network. Based on logs, it executes the Remcos loader via WmiPrvSE.exe”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – “The TargetCompany ransomware drops and executes the following file to terminate services and processes: %User Temp%Vqstxggumqhfwkill$.bat” and “The malware then executes the following PowerShell command: %System%WindowsPowerShe11v1.0powershe11.exe ‘ -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwNvbgA…’
  • [T1047] Windows Management Instrumentation – “The ransomware runs the parent process: C:Program FilesMicrosoft SQL ServerMSSQL12.SQLEXPRESSMSSQLBinnsqlservr.exe” and “The wmic.exe process call then creates the following process: C:UsersMSSQL$~1AppDataLocalTempV70SP8HC.exe”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “TargetCompany then uses command-line tools to alter registry or file data. It drops and executes the following file that contains commands to delete services and terminate processes: %User Temp%Dwghpjxmueqxokshkill$.bat”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “The ransomware then creates an autostart registry key and adds the following registry entries to enable its automatic execution at every system startup: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Qawjvy =  %Application Data%AabzaQawjvy.exe”
  • [T1574.010] Hijack Execution Flow: Services File Permissions Weakness – “TargetComany then creates the following processes: C:WindowsSysWOW64cacls.exe cacls” and “C:Windowssystem32cmd.exe /g Administrators:f”
  • [T1543.003] Windows Service – “The ransomware also adds and runs the following services: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesavast ImagePath = %Windows%avast.exe”
  • [T1222.001] Windows File and Directory Permissions Modification – “The ransomware modifies file/directory permissions using cacls commands…”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – “The ransomware then drops its own copy to the following directories for defense evasion: %Windows%avast.exe {IP Address}admin$avast.exe {IP Address}c$avast.exe”
  • [T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild – “TargetCompany then injects codes into the following process: %Windows%Microsoft.NETFrameworkv4.0.30319MSBuild.exe”
  • [T1218] System Binary Proxy Execution – “The ransomware also injects codes into the following process: %Windows%Microsoft.NETFrameworkv4.0.30319InstallUtil.exe”
  • [T1070.004] Indicator Removal on Host – “The ransomware then deletes %User Temp%Vqstxggumqhfwkill$.bat after terminating and deleting services/processes.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – “Trend Micro Smart Protection Network logs show that some executed indicators of compromise (IOCs) are related to GMER including the following: … Tagged as PUA.Win32.GMER.YABBI”
  • [T1112] Modify Registry – “TargetCompany then deletes the following registry keys: … “
  • [T1620] Reflective Code Loading – “The ransomware connects to the following link to load the encrypted payload: http://{BLOCKED}.{BLOCKED}.44.142/arx-Kbcmvm_Rrkpioky.jpg”
  • [T1070.004] Indicator Removal: File Deletion – “The ransomware attempts to delete itself… It encrypts files and appends the ‘.avast’ file extension… “
  • [T1567] Exfiltration Over Web Service – “Royal uses rclone to exfiltrate stolen information over web service.”
  • [T1082] System Language Discovery – “TargetCompany does not continue its routine if the User Default Language ID … Russian/Kazakh/Belarusian/Ukrainian/Tatar”
  • [T1049] System Network Connections Discovery – “TargetCompany uses the file HQO.exe that performs network scanning in the infected environment.”
  • [T1003.001] OS Credential Dumping: LSASS Memory – “Remnants linked to open-source malware program Mimikatz: … SHA1: 45941756c936fd6decf8269fc110562d91bb443d”
  • [T1071.001] Application Layer Protocol: Web Protocols – “Web Protocols Connects to the following Remcos download URL: 80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp” and “Connects to the following Kill% download URL: 80[.]66[.]75[.]25:80/kill$[.]exe”
  • [T1570] Lateral Movement: Lateral Tool Transfer – “TargetCompany threat actors use RCE via remote desktop to move laterally within their victim’s network.”
  • [T1489] Service Stop – “TargetCompany terminates a list of processes and services if found running.”
  • [T1486] Data Encrypted – “The ransomware encrypts files and enforces the ‘.avast’ extension, with numerous exclusions listed.”
  • [T1490] Inhibit System Recovery – “TargetCompany deletes volume shadow copies via vssadmin, bcdedit, and related commands.”

Indicators of Compromise

  • [Hash] SHA1 – 539c228b6b332f5aa523e5ce358c16647d8bbe57 – Mimikatz-related artifact (remnants) observed in Smart Protection Network logs
  • [File name] Vqstxggumqhfwkill$.bat – Bat file used to terminate services/processes
  • [File name] Dwghpjxmueqxokshkill$.bat – Bat file used to terminate services/processes
  • [File name] JrpnqmNyovdlxx.exe – Dropped copy used in persistence
  • [File name] V70SP8HC.exe – Created by wmic process call
  • [File name] 911.exe – GMER-related utility detected (PUA.Win32.GMER.YABBI)
  • [File name] kxldrpog.sysi – Registry-related artifact observed in GMER context
  • [Registry] Run key – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with Qawjvy = %Application Data%AabzaQawjvy.exe
  • [Registry] Service ImagePath key – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesavast ImagePath = %Windows%avast.exe
  • [URL] http://{BLOCKED}.{BLOCKED}.44.142/arx-Kbcmvm_Rrkpioky.jpg – Reflective code loading payload
  • [URL] 80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp – Remcos download URL
  • [URL] 80[.]66[.]75[.]25:80/kill$[.]exe – Kill download URL

Read more: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-targetcompany

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint