Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 922
- Points
- 113
Hackers actively recruit accomplices on cybercrime forums.
In 2023, Mallox ransomware activity increased significantly — by 174% compared to last year, according to new data obtained by Unit 42 specialists from Palo Alto Networks.
"Mallox, like many other extortionate groups, follows the strategy of double extortion: first, they steal data, then encrypt files in the victim's organization and threaten to publish the stolen information in order to force them to pay a ransom, " according to a recent report by cybersecurity experts Lior Rochberger and Shimi Cohen.
According to the researchers, the Mallox ransomware is closely linked to other attackers, such as TargetCompany, Tohnichi, Fargo, and the recently launched Xollam. The Mallox group itself was spotted in June 2021. Among the main targets of hackers are manufacturing companies, professional services firms, and wholesale and retail trade.
A distinctive feature of these extortionate entities is the hacking of poorly protected MS-SQL servers by brute-forcing passwords, which allows them to penetrate the networks of their victims. Xollam, in turn, differs in that it uses malicious attachments in OneNote for initial access.
After successful penetration, a PowerShell command is executed to download ransomware from a remote server. The program itself tries to stop SQL services, delete shadow copies of volumes, clear system event logs, interrupt security-related processes, and bypass Raccine, a tool designed to counter ransomware. After that, encryption is started, and a file with ransom demands is left in each directory.
Experts attribute the increase in ransomware activity to the fact that it still brings cybercriminals huge revenues — in the first six months of 2023 alone, ransomware managed to get at least $ 449.1 million,according to Chainalysis.
The sharp increase in the number of Mallox attacks is only part of the overall trend: the number of ransomware attacks increased by 221% over the year, and in June 2023 alone, 434 incidents were recorded. One of the main reasons for such sad statistics is the exploitation of the MOVEit Transfer vulnerability by Clop hackers.
"In recent months, the Mallox group has become more active, and their recruitment attempts may lead to attacks on even more organizations," experts warn.
======
The group has updated its tools to implement Remcos RAT, BatCloak, and Metasploit for covert attacks on SQL servers.
The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has been noticeably active recently. Its victims are increasingly organizations with vulnerable SQL servers.
As Trend Micro researchers found out, Mallox attackers use a new version of their own ransomware in combination with other tools, such as the remote access Trojan Remcos and the BatCloak obfuscator. This allows them to gain a foothold in the victim's system and avoid detection.
According to experts, the main method of penetration into the organization's network remains the same-exploiting old vulnerabilities in SQL servers-CVE-2020-0618 and CVE-2019-1068 . However, at later stages of the attack, attackers change tactics to remain undetected.
When detecting suspicious activity related to PowerShell, Trend Micro specialists found out that a new version of Mallox is being used. However, the initial entry attempt was blocked by existing security measures.
Then criminals began to use auxiliary tools, such as FUD and Metasploit, to bypass the protection. FUD is an obfuscation method that automatically masks ransomware so that it is not detected by signature methods. And Metasploit is a hacker tool that helps you download encrypted Mallox.
The use of FUD and Metasploit is not something fundamentally new in the arsenal of attackers. However, this shows that groups like Mallox are constantly improving their methods to circumvent security measures.
According to Trend Micro experts, most Mallox victims have vulnerable SQL servers that are used for initial penetration. Therefore, organizations are encouraged to check their systems for vulnerabilities and fix them.
In addition, since the obfuscation methods used by Mallox can bypass traditional security tools, it is worth adding artificial intelligence-based solutions for analyzing files and behavior.
In general, to protect against groups like Mallox, experts recommend a comprehensive approach that includes eliminating vulnerabilities, network segmentation, using specialized ransomware detection tools, and raising users ' awareness of possible risks.
This multi-level approach will minimize the damage caused by the activities of criminal groups that use ransomware to attack commercial organizations and government agencies. Cybersecurity requires continuous improvement of security measures in response to sophisticated methods of modern attackers.
==========
Trend Micro analysts found a Linux version of the TargetCompany cryptographer that previously attacked databases in Windows environments. The new version is delivered in a rather tricky way.
The return of an old friend who never left
Trend Micro experts have identified a new version of the TargetCompany cryptographer, this time aimed at systems running Linux. With its help, attackers actively attack VMware ESXi virtualization environments, using a special shell script to implement and launch malicious load.
TargetCompany is also known as Mallox, FARGO, and Tohnichi. Its discovery dates back to June 2021. It is mainly known as a Windows cryptographer. It was successfully used against MySQL, Oracle, and SQL Server databases owned by organizations in Taiwan, South Korea, Thailand, and India.
In February 2022, antivirus vendor Avast announced the creation of a free tool for decrypting files blocked by TargetCompany. The group that used the cryptographer in the attacks was temporarily quiet, but by September it had resumed regular attacks. Most of their victims were vulnerable Microsoft SQL servers.
The newly discovered Linux variant, in turn, attacks VMware environments by encrypting, in particular, all files with the vmdk, vmem, vswp, vmx, vmsn, and nvram extensions and adding its own extension .locked.
"A successful attack on the virtualization environment can lead to a shutdown of processes for all clients who currently use this environment," says Mikhail Zaitsev, an information security expert at SEQ. According to him, virtual host operators in this case are under enormous pressure, since they are not the only ones who lose time and money. "This is the case when it is easier to prevent than to correct the consequences," Mikhail Zaitsev concluded.
Strange way
Trend Micro experts noted that this time the attackers are using a new technique: a PowerShell script and masking packers (Fully Undetectable Packers - FUD) are used to bypass security tools.
Exactly how attackers deliver this script to the system, the Trend Micro publication does not say anything. Judging by the scheme from the material, attackers already have initial access to the beginning of the attack - through vulnerable, hacked SQL servers.
After the initial download, the PowerShell script loads and runs the main malicious load; it checks the environment in which it operates, and sends information about the host name, IP address, operating system, as well as about currently connected users and their privileges, unique identifiers - and details about encrypted files to the control server and directories.
Then the file encryption process starts and a ransom demand is generated.
At the end of all these procedures, the malware tries to remove any traces of its presence in the system in order to complicate the subsequent investigation.
According to Trend Micro analysts, attacks on Linux systems are carried out by one of the partners of the main operator TargetCompany-a group called Vampire.
Previously, the same group carried out regular attacks on MS SQL databases.
The Trend Micro study indicates that IP addresses associated with the delivery of malware are related to the networks of an Internet service provider in China, but this is not enough for unambiguous attribution.
It should also be noted that the current iterations of TargetCompany also output confidential data to malicious servers. The cryptographer's operators then additionally blackmail victims by publishing this information in Telegram.
In 2023, Mallox ransomware activity increased significantly — by 174% compared to last year, according to new data obtained by Unit 42 specialists from Palo Alto Networks.
"Mallox, like many other extortionate groups, follows the strategy of double extortion: first, they steal data, then encrypt files in the victim's organization and threaten to publish the stolen information in order to force them to pay a ransom, " according to a recent report by cybersecurity experts Lior Rochberger and Shimi Cohen.
According to the researchers, the Mallox ransomware is closely linked to other attackers, such as TargetCompany, Tohnichi, Fargo, and the recently launched Xollam. The Mallox group itself was spotted in June 2021. Among the main targets of hackers are manufacturing companies, professional services firms, and wholesale and retail trade.
A distinctive feature of these extortionate entities is the hacking of poorly protected MS-SQL servers by brute-forcing passwords, which allows them to penetrate the networks of their victims. Xollam, in turn, differs in that it uses malicious attachments in OneNote for initial access.
After successful penetration, a PowerShell command is executed to download ransomware from a remote server. The program itself tries to stop SQL services, delete shadow copies of volumes, clear system event logs, interrupt security-related processes, and bypass Raccine, a tool designed to counter ransomware. After that, encryption is started, and a file with ransom demands is left in each directory.
Experts attribute the increase in ransomware activity to the fact that it still brings cybercriminals huge revenues — in the first six months of 2023 alone, ransomware managed to get at least $ 449.1 million,according to Chainalysis.
The sharp increase in the number of Mallox attacks is only part of the overall trend: the number of ransomware attacks increased by 221% over the year, and in June 2023 alone, 434 incidents were recorded. One of the main reasons for such sad statistics is the exploitation of the MOVEit Transfer vulnerability by Clop hackers.
"In recent months, the Mallox group has become more active, and their recruitment attempts may lead to attacks on even more organizations," experts warn.
======
The group has updated its tools to implement Remcos RAT, BatCloak, and Metasploit for covert attacks on SQL servers.
The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has been noticeably active recently. Its victims are increasingly organizations with vulnerable SQL servers.
As Trend Micro researchers found out, Mallox attackers use a new version of their own ransomware in combination with other tools, such as the remote access Trojan Remcos and the BatCloak obfuscator. This allows them to gain a foothold in the victim's system and avoid detection.
According to experts, the main method of penetration into the organization's network remains the same-exploiting old vulnerabilities in SQL servers-CVE-2020-0618 and CVE-2019-1068 . However, at later stages of the attack, attackers change tactics to remain undetected.
When detecting suspicious activity related to PowerShell, Trend Micro specialists found out that a new version of Mallox is being used. However, the initial entry attempt was blocked by existing security measures.
Then criminals began to use auxiliary tools, such as FUD and Metasploit, to bypass the protection. FUD is an obfuscation method that automatically masks ransomware so that it is not detected by signature methods. And Metasploit is a hacker tool that helps you download encrypted Mallox.
The use of FUD and Metasploit is not something fundamentally new in the arsenal of attackers. However, this shows that groups like Mallox are constantly improving their methods to circumvent security measures.
According to Trend Micro experts, most Mallox victims have vulnerable SQL servers that are used for initial penetration. Therefore, organizations are encouraged to check their systems for vulnerabilities and fix them.
In addition, since the obfuscation methods used by Mallox can bypass traditional security tools, it is worth adding artificial intelligence-based solutions for analyzing files and behavior.
In general, to protect against groups like Mallox, experts recommend a comprehensive approach that includes eliminating vulnerabilities, network segmentation, using specialized ransomware detection tools, and raising users ' awareness of possible risks.
This multi-level approach will minimize the damage caused by the activities of criminal groups that use ransomware to attack commercial organizations and government agencies. Cybersecurity requires continuous improvement of security measures in response to sophisticated methods of modern attackers.
==========
Trend Micro analysts found a Linux version of the TargetCompany cryptographer that previously attacked databases in Windows environments. The new version is delivered in a rather tricky way.
The return of an old friend who never left
Trend Micro experts have identified a new version of the TargetCompany cryptographer, this time aimed at systems running Linux. With its help, attackers actively attack VMware ESXi virtualization environments, using a special shell script to implement and launch malicious load.
TargetCompany is also known as Mallox, FARGO, and Tohnichi. Its discovery dates back to June 2021. It is mainly known as a Windows cryptographer. It was successfully used against MySQL, Oracle, and SQL Server databases owned by organizations in Taiwan, South Korea, Thailand, and India.
In February 2022, antivirus vendor Avast announced the creation of a free tool for decrypting files blocked by TargetCompany. The group that used the cryptographer in the attacks was temporarily quiet, but by September it had resumed regular attacks. Most of their victims were vulnerable Microsoft SQL servers.
The newly discovered Linux variant, in turn, attacks VMware environments by encrypting, in particular, all files with the vmdk, vmem, vswp, vmx, vmsn, and nvram extensions and adding its own extension .locked.
"A successful attack on the virtualization environment can lead to a shutdown of processes for all clients who currently use this environment," says Mikhail Zaitsev, an information security expert at SEQ. According to him, virtual host operators in this case are under enormous pressure, since they are not the only ones who lose time and money. "This is the case when it is easier to prevent than to correct the consequences," Mikhail Zaitsev concluded.
Strange way
Trend Micro experts noted that this time the attackers are using a new technique: a PowerShell script and masking packers (Fully Undetectable Packers - FUD) are used to bypass security tools.
Exactly how attackers deliver this script to the system, the Trend Micro publication does not say anything. Judging by the scheme from the material, attackers already have initial access to the beginning of the attack - through vulnerable, hacked SQL servers.
After the initial download, the PowerShell script loads and runs the main malicious load; it checks the environment in which it operates, and sends information about the host name, IP address, operating system, as well as about currently connected users and their privileges, unique identifiers - and details about encrypted files to the control server and directories.
Then the file encryption process starts and a ransom demand is generated.
At the end of all these procedures, the malware tries to remove any traces of its presence in the system in order to complicate the subsequent investigation.
According to Trend Micro analysts, attacks on Linux systems are carried out by one of the partners of the main operator TargetCompany-a group called Vampire.
Previously, the same group carried out regular attacks on MS SQL databases.
The Trend Micro study indicates that IP addresses associated with the delivery of malware are related to the networks of an Internet service provider in China, but this is not enough for unambiguous attribution.
It should also be noted that the current iterations of TargetCompany also output confidential data to malicious servers. The cryptographer's operators then additionally blackmail victims by publishing this information in Telegram.
