The malicious campaign demonstrates hackers desire for covert management of infected systems.
Cybersecurity experts from the ASEC identified a series of advanced cyber attacks targeting Microsoft SQL (MS-SQL) servers. A group of attackers known as TargetCompany uses the Mallox ransomware virus to encrypt systems and extort victims.
The group's attacks resemble previous incidents involving the Tor2Mine miner and the BlueSky virus, which indicates an ongoing threat to digital security. TargetCompany's methods of action involve exploiting vulnerabilities on improperly managed MS-SQL servers, where attackers gain unauthorized access using dictionary attacks and brute-force attacks, primarily targeting the system administrator's account.
After entering the system, attackers install the remote access tool Remcos RAT, which allows them to fully control the infected host. It should be noted that Remcos RAT, a tool originally designed for legitimate remote management, has long been adapted for malicious actions. The attacks used a simplified version of Remcos, which indicates the attackers ' desire for smoother remote control without attracting attention.
After the initial infection, the attackers also deploy their own malware for remote management, and then the Mallox ransomware virus. This virus, which targets MS-SQL servers, uses the AES-256 and SHA-256 encryption algorithms, adding the extension ".rmallox"to the encrypted files. Mallox avoids encrypting specific paths and file extensions, focusing only on potentially valuable data.
The attack patterns observed in this campaign are strikingly similar to previous TargetCompany incidents, which allowed ASEC experts to attribute these malicious actions to the participants of this group.
MS-SQL server administrators are strongly encouraged to apply strong password policies, update their systems regularly, and use comprehensive security solutions to prevent such threats.
Given the fact that the digital landscape continues to evolve, as well as the nature of cyber threats, the relevance of vigilance and proactive security measures in protecting against ransomware attacks is still high.
Cybersecurity experts from the ASEC identified a series of advanced cyber attacks targeting Microsoft SQL (MS-SQL) servers. A group of attackers known as TargetCompany uses the Mallox ransomware virus to encrypt systems and extort victims.
The group's attacks resemble previous incidents involving the Tor2Mine miner and the BlueSky virus, which indicates an ongoing threat to digital security. TargetCompany's methods of action involve exploiting vulnerabilities on improperly managed MS-SQL servers, where attackers gain unauthorized access using dictionary attacks and brute-force attacks, primarily targeting the system administrator's account.
After entering the system, attackers install the remote access tool Remcos RAT, which allows them to fully control the infected host. It should be noted that Remcos RAT, a tool originally designed for legitimate remote management, has long been adapted for malicious actions. The attacks used a simplified version of Remcos, which indicates the attackers ' desire for smoother remote control without attracting attention.
After the initial infection, the attackers also deploy their own malware for remote management, and then the Mallox ransomware virus. This virus, which targets MS-SQL servers, uses the AES-256 and SHA-256 encryption algorithms, adding the extension ".rmallox"to the encrypted files. Mallox avoids encrypting specific paths and file extensions, focusing only on potentially valuable data.
The attack patterns observed in this campaign are strikingly similar to previous TargetCompany incidents, which allowed ASEC experts to attribute these malicious actions to the participants of this group.
MS-SQL server administrators are strongly encouraged to apply strong password policies, update their systems regularly, and use comprehensive security solutions to prevent such threats.
Given the fact that the digital landscape continues to evolve, as well as the nature of cyber threats, the relevance of vigilance and proactive security measures in protecting against ransomware attacks is still high.
