Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns

MITRE Techniques

• [T1110] Brute Force – Initial access occurred through a brute-force attack targeting the MS-SQL server. ‘The initial access occurred through a brute-force attack targeting the MS-SQL server… approximately 320 attempts per minute during this timeframe.’
• [T1059.003] Windows Command Shell – xp_cmdshell was used to spawn a Windows command shell and execute commands. ‘The attacker… enabled xp_cmdshell parameters to allow SQL Server to spawn a Windows command shell and pass in a string for execution. This is a well known technique used by attackers to compromise MS-SQL servers.’
• [T1059.001] PowerShell – PowerShell was used to download and execute payloads. ‘…download a binary and saves it to the ProgramData folder; … calls PowerShell to execute the script; … uses WMIC to execute the binary.’
• [T1105] Ingress Tool Transfer – The payload downloads a file from the Internet and stores it for execution. ‘The payload downloads a file from the Internet. The file has a random name and a multimedia file extension…’
• [T1027] Obfuscated/Compressed Files or Information – The next-stage payload is loaded from a decrypted/packed resource. ‘This resource is a protobuf definition… the long entry is the Mallox PE stored encrypted using AES in CBC mode.’
• [T1547.001] Boot or Logon Autostart – Persistence via Run registry key. ‘The malware ensures its persistence on the infected host by adding a registry key in the current user hive under SoftwareMicrosoftWindowsCurrentVersionRun.’
• [T1562.001] Disable or Modify Security Tools – Defense evasion through ETW and AMSI patching. ‘EtwEventWrite Patching to avoid system logging events’ and ‘Amsi ScanBuffer patching.’
• [T1486] Data Encrypted for Impact – Mallox encrypts files across disks after discovery. ‘The main function of the ransomware iterates through the disks and drives of the infected host to encrypt files.’
• [T1490] Inhibit System Recovery – The ransomware disables recovery options and boots fail-safes. ‘bcdedit /set {current} bootstatuspolicy ignoreallfailures’ and ‘recoveryenabled no’
• [T1562.004] Indicator Removal on Host – Cleanup and disablement of recovery/logging features via system modifications documented in the activity (e.g., AMSI/ETW patching).
• [T1620] Reflective Code Loading – Mallox stage2 uses Reflective DLL loading to execute the dropped payload. ‘A .NET library is obtained after decryption… Its first action is to load a third-party payload from the resources; This third-party payload is the Mallox ransomware.’